Sponsored by..

Wednesday, 21 October 2015

Fake job offer: helicoptersjob.com

This job offer is a fake:

From:    victim@victimdomain.com
To:    victim@victimdomain.com
Date:    21 October 2015 at 14:35
Subject:    Staff Wanted

Good day!

We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

Our firm specializes in consultation services in the matter of bookkeeping and business administration.
We cooperate with different countries and currently we have many clients in the US.
Due to this fact, we need to increase the number of our destination representatives' regular staff.

In their duties will be included the document and payment control of our clients.
Part-time and full-time employment are both currently important.
We offer a flat wage from $1000 up to $3,000 per month.

If you are interested in our offer, mail to us your answer on conrade@helicoptersjob.com and we will send you an extensive information as soon as possible.

Respectively submitted
Personnel department

The email appears to originate from the recipients own email address,  but this is just a forgery and is nothing to worry about.

The job being offered is actually part of a criminal organisation, such as money laundering or some other fraud such as a parcel reshipping scam.

The domain helicoptersjob.com was registered just today to a registrant in China. It is connected with several other long-running job scams going back several years. Avoid.

Malware spam: "INVOICE FOR PAYMENT - 7500005791" / "Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]"

This fake financial spam is not from Lancashire Police but is a simply forgery with what appears to be a malicious attachment.

From:    Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]
Date:    21 October 2015 at 10:15
Subject:    INVOICE FOR PAYMENT - 7500005791

Hello

Please find attached an invoice that is now due for payment.

Regards

Lyn

Lyn Whitehead (10688)
Business Support Department - Headquarters

Email: Lyn.Whitehead@lancashire.pnn.police.uk

********************************************************************************************

This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments, without retaining a copy.

Lancashire Constabulary monitors its emails, and you are advised that any e-mail you send may be subject to monitoring.

This e-mail has been scanned for the presence of computer viruses.

******************************************************************************************** 
The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending.

The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive.

Other analysis is pending please check back.

UPDATE 1:
Another version of this is in circulation, also with zero detections at VirusTotal.  The Hybrid Analysis for both samples in inconclusive [1] [2].

UPDATE 2:
An analysis of the documents shows an HTTP request to:

ip1.dynupdate.no-ip.com:8245

All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise.

UPDATE 3:
All the attachments I have seen so far are corrupt, with an extra byte at the beginning (thanks). If you opened it and got a screen like this:

Source: Malwr.com
..then you are not infected. Incidentally, this only infects Windows PCs anyway.

The "fixed" malicious documents have a detection rate of about 6/56 [1] [2] [3] - analysis of these documents is pending, although I can tell you that they create a malicious file in %TEMP%\HichAz2.exe.

UPDATE 4:
The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros [example] in the document download a binary from the following locations:

www.sfagan.co.uk/56475865/ih76dfr.exe
www.cnukprint.com/56475865/ih76dfr.exe
www.tokushu.co.uk/56475865/ih76dfr.exe
www.gkc-erp.com/56475865/ih76dfr.exe

At present this has a zero detection rate at VirusTotal (MD5 7f0076993f2d8a4629ea7b0df5b9bddd). Those reports in addition to this Malwr report indicate malicious traffic to the following IPs:

89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
119.47.112.227 (Web Drive Ltd, New Zealand)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
157.252.245.49 (Trinity College Hartford, US)


The payload is probably the Shifu banking trojan.

Recommended blocklist:
89.32.145.12
119.47.112.227
195.154.251.123
157.252.245.49

Tuesday, 20 October 2015

Malware spam: "Shaun Buzzard [shaunb@hubbardproducts.com]" / "Order"

This fake financial spam does not come from Hubbard Products but is instead a simple forgery with a malicious attachment:

From     Shaun Buzzard [shaunb@hubbardproducts.com]
Date     Tue, 20 Oct 2015 16:05:55 +0530
Subject     Order

Hi ,
Please find attached order.

Kind regards.
Shaun Buzzard

Hubbard Products Limited
Hillview, Church Road, Otley, Suffolk. IP69NP
Registered in England No. 6217134

Email: shaunb@hubbardproducts.com
DDI: 01473892216

Fax: 01473890687


Important Email Information :
The information contained in this email is confidential and may be legally privileged.
This email is intended to be viewed initially only by the named individual or legal
entity. If the reader of this email is not the intended recipient or a representative
of the intended recipient, you are hereby notified that any reading, dissemination
or copying of this email or of the information contained herein is prohibited. If
you have received this email in error please immediately notify the sender by return,
delete this email and destroy any hard copies immediately. Thank you

The attachment is named lp22_20151013_164535.doc and I have seen the following MD5s:

608D1733D6E47C7BEE187C1EE890D6E3
C6CD52B59FC772EDDE4DF5D4058524FE
001415839B511361BC429C379892065D


The payload is the Dridex Shifu banking trojan, as seen in this spam run earlier today.

Malware spam: "Purchase Order No: 48847" / "Harminder Saund"

This fake financial spam comes with a malicious payload:

From     Harminder Saund [MinSaund77@secureone.co.uk]
Date     Tue, 20 Oct 2015 16:08:53 +0700
Subject     Purchase Order No: 48847

Attached is a copy of our Purchase Order number 48847

==============
Harminder Saund

Secure One
==============

The sender's email address varies slightly, for example:

MinSaund77@secureone.co.uk
MinSaund92@secureone.co.uk
MinSaund94@secureone.co.uk
MinSaund013@secureone.co.uk

Attached is a file PO_48847.DOC which I have seen two different versions of so far (VirusTotal [1] [2]) each containing a slightly different malicious macro [1] [2]. There are probably different versions of the document with different macros.

Automated analysis is pending, however the payload is most likely the Dridex banking trojan. Please check back for updates.

MD5s:
c6cd52b59fc772edde4df5d4058524fe
001415839b511361bc429c379892065d

UPDATE:
So far, three download location have been identified..

ladiesfirst-privileges.com/656465/d5678h9.exe
papousek.kvalitne.cz/656465/d5678h9.exe
pmspotter.wz.cz/656465/d5678h9.exe

This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56 (MD5 e4bb8a66855f6987822f5aca86060f2c). The Hybrid Analysis reports [1] [2] indicate that it calls home to:

fat.uk-fags.top / 188.166.250.20 (Digital Ocean, Singapore)

I recommend that you block traffic to that IP.

The payload has been reported to be Shifu, not Dridex.

Malware spam: "GOMEZ SANCHEZ"[postmail@bellair.net]

This spam comes with a malicious attachment:

From     "GOMEZ SANCHEZ"[postmail@bellair.net]
To    
Date     Tue, 20 Oct 2015 13:14:56 +0430
Subject     victim@victimdomain.tld

Congratulations

Print out the attachment file fill it and return it back by fax or email

Yours Sincerely

GOMEZ SANCHEZ
The "Subject" is the victim's own email address. Attached is a file FINAL NOTIFICATION.xls which comes (so far) in three different variants (VirusTotal [1] [2] [3]) contains one of these three malicious macros [1] [2] [3] .

Analysis of the payload is pending, but is likely to be the Dridex banking trojan. Please check back later.

MD5s:
24d9cd4caca15882dc4f142b46a16622
9a10c47dcdd28017afeec5aca2c71191
d63f6150b45227c20901ee887062d8de

UPDATE:

Sources say that the payload is Shifu, not Dridex. So far, three download location have been identified..

ladiesfirst-privileges.com/656465/d5678h9.exe
papousek.kvalitne.cz/656465/d5678h9.exe
pmspotter.wz.cz/656465/d5678h9.exe

This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56 (MD5 e4bb8a66855f6987822f5aca86060f2c). The Hybrid Analysis reports [1] [2] indicate that it calls home to:

fat.uk-fags.top / 188.166.250.20 (Digital Ocean, Singapore)

I recommend that you block traffic to that IP.

Monday, 19 October 2015

Malware spam: "COS007202" / "Stephanie Greaves [sgreaves@btros.co.uk]"

This fake financial spam does not come from Bombardier Transportation but is instead a simple forgery with a malicious attachment:

From     "Stephanie Greaves" [sgreaves@btros.co.uk]
Date     Mon, 19 Oct 2015 12:06:42 +0430
Subject     COS007202

Good morning,

Please see attached purchase order.

Kind regards,

Stephanie Greaves


Administration Apprentice
Bombardier Transportation (Rolling Stock) UK Ltd
Electronics, Cabling, & Interior Division
Litchurch Lane, Derby, DE24 8AD
Attached is a file COS007202.doc which comes in at least three different versions (VT results [1] [2] [3]) each containing a slightly different malicious macro [1] [2] [3] [pastebin].

Analysis of the documents is pending, but they will almost definitely drop the Dridex banking trojan. Please check back later.


UPDATE:
According to these Hybrid Analysis reports [1] [2] [3] , those macros download from the following locations:

euroagroec.com/35436/5324676645.exe
demo9.iphonebackstage.com/35436/5324676645.exe
webmatique.info/35436/5324676645.exe


The binary they download has a VirusTotal detection rate of 3/56 and is saved as %TEMP%\CrowSoft1.exe. Both the VirusTotal and Hybrid Analysis reports show what looks like malicious traffic going to:

157.252.245.49 (Trinity College Hartford, US)

I recommend that you block traffic to that IP.

MD5s:
1de3889fde95e695adf6eadcb4829c6d
7ae379d02b72d5768cc07f4241def163
d9cd6d350cde885bd9c0171b6a56ee52
aea40296ee7eb0c73ae488b918572481

Thursday, 15 October 2015

Malware spam: "[Scan] 2015-10-14 5:29:54 p.m." / "Ray White [rw@raylian.co.uk]"

This rather terse spam email has a malicious attachment. It does not come from Raylian but is instead a simple forgery.

From     Ray White [rw@raylian.co.uk]
Date     Thu, 15 Oct 2015 10:56:35 +0200
Subject     [Scan] 2015-10-14 5:29:54 p.m.

Amanda's attached.

In the only sample I saw, the attachment was named 2015-10-14 5-29-54 p.m..doc which has a VirusTotal detection rate of 4/56 and which contains this malicious macro [pastebin] . The Hybrid Analysis report shows this particular version (there will be others) downloading a binary from:

sdhstribrnalhota.xf.cz/86575765/6757645.exe

Despite the apparently random name, this is a real business website (SDH Stříbrná Lhota) that has been compromised. This binary has a detection rate of just 2/56 and is saved as %TEMP%\CrowSoft1.exe. The Hybrid Analysis report for this indicates connections to:

89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)


The payload appears to be the Dridex banking trojan, still going strong despite reports of arrests in the crime gang responsible.

Recommended blocklist:
89.32.145.12
195.154.251.123

MD5s:
30e1ad13b091ec24935724ed0abf62ca
bc571b3cfa8902da248420ba5e765a40

Monday, 12 October 2015

Q: Who is StockTips.com? A: Adrian Thomas of Euro Ventures SA

I've seen spam allegedly from StockTips.com a few times (such as here and here). I have no solid evidence that the people running StockTips.com are responsible for the spam, but last time I looked at them I was frustrated by the lack of transparency.

It turns out that a mistake by the owners of StockTips.com may have revealed their identities. The StockTips.com registration is normally hidden by Moniker Privacy Services, but at the end of August it seems that the service wasn't running, revealing the apparent identity of the owner:

Registrant Name: Adrian Thomas
Registrant Organization: EuroVentures S.A.
Registrant Street: 10, Route de l'Aeroport
Registrant City: Geneva
Registrant State/Province: Geneva
Registrant Postal Code: 1215
Registrant Country: CH
Registrant Phone: +41.797459914
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: athomas@pan-euro.pl


It turns out that I'd missed an older non-private entry in the WHOIS data too..

ADRIAN THOMAS athomas@pan-euro.pl
Euro Ventures S.A.
10, Route de l'Aeroport
Word Trade Center
Geneva
Geneva
1215
CH
Phone: +41.227990800
Fax:   +41.227990801


Using this information we can piece together a set of related domains:

  • stocktips.com
  • stocktipsemail.com
  • euroventures.com
  • madblitz.com
  • growthpicks.com
  • investors4cash.com
  • investors4cash.net
  • investors4cash.org
  • evreit.com
  • cheuramconsultinggroup.com
  • cheurgrp.com
  • stellargains.com
  • stocktradehotline.com
  • topbusinessdaily.com
"Mr Thomas" is on LinkedIn..


A slightly different haircut and beard, but it is the same person on euroventures.com..

Am I saying that Mr Thomas (if that is his real name) is a spammer? No.. I have no evidence to show that the spam I have seen actually comes from StockTips.com (they deny sending out spam). But it's always good to see the sort of person who is giving you financial advice.. even if they don't want you to find out.

Pump and Dump spam: SAFSD / Safer Shot, Inc

This illegal pump-and-dump spam is trying to promote a failed stock SAFSD / Safer Shot, Inc:

From     "StockTips.com" [paul@stocktips.com]
Date     Mon, 12 Oct 2015 14:59:09 +0200
Subject     My newest stock tip is here

Statler here.

My NEWEST MONSTER PICK is - Safer Shot Inc. And they trade under the tickersymbol
- SAFSD orSAFS

I don’t know if you know this, but technically, 0.0001 is the lowest that astock
can trade at on the open market…

0.0001 is THE FLOOR!

So it stands to reason, if you get in at the ground level (THE FLOOR ), thestock
CANNOT go lower.

So technically you have limited your downside.

Go buy SAFSD NOW and quadruple your money quick!
There is a slightly different version of the spam with the same body text but a different sender..

From     "StockTips.com" [Alerts@subpenny.com]
Date     Mon, 12 Oct 2015 21:16:49 +0330
Subject     My newest stock tip is here
For a technical analysis of just how shitty this stock is, this write-up at Hot Stocked explains it nicely. The company is worth virtually nothing, but by virtue of having an astonishing 1.16 trillion shares issues at 0.0001 cents each (the lowest a share can trade at), it has a completely unrealistic market capitalisation of $116 million. This is basically a ridiculously stupid way to manipulate the markets and quite how they are allowed to do it is a mystery.

The point of this spam is to try to get the stock price to move even just a little bit, so somebody who holds a substantial amount can try to make some money off some suckers who will lose pretty much everything they put in.

Hot Stocked notes that this is a "promoted stock" but there is no guarantee that StockTips.com is actually sending out this tsunami of spam. So far I have seen 500+ unique IP addresses which have the characteristics of an illegal botnet.

Whoever is sending out these spam messages is breaking the law. Anybody who tries to invest in this stock is likely to lose out. Remember, despite the claim that a 0.0001 cannot go any lower.. if the company folds, then they will probably be worth precisely nothing. Avoid.

Update:
StockTips.com categorically denies any involvement..



 ..but because I have looked into StockTips.com before I had another look to try and deduce who the mystery owner is and discovered the apparent site operator.

Malware spam: "Water Services Invoice" / "UUSCOTLAND@uuplc.co.uk"

(Note, an updated version of this spam run happened on 22nd October)

This fake financial email is not from United Utilities but is instead a simple forgery with a malicious attachment:

From     "UUSCOTLAND" <UUSCOTLAND@uuplc.co.uk>
Date     Mon, 12 Oct 2015 17:12:12 +0530
Subject     Water Services Invoice

Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of
12 September 2015 to 12 October 2015.

If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk<mailto:uuscotland@uuplc.co.uk>.

Kind regards

Melissa

Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)
Melissa.lears@uuplc.co.uk<mailto:Melissa.lears@uuplc.co.uk>
Unitedutilitiesscotland.com


EMGateway3.uuplc.co.uk made the following annotations
---------------------------------------------------------------------
The information contained in this e-mail is intended only
for the individual to whom it is addressed. It may contain
legally privileged or confidential information or otherwise
be exempt from disclosure. If you have received this Message
in error or there are any problems, please notify the sender
immediately and delete the message from your computer. You
must not use, disclose, copy or alter this message for any
unauthorised purpose. Neither United Utilities Group PLC nor
any of its subsidiaries will be liable for any direct, special,
indirect or consequential damages as a result of any virus being
passed on, or arising from the alteration of the contents of
this message by a third party.

United Utilities Group PLC, Haweswater House, Lingley Mere
Business Park, Lingley Green Avenue, Great Sankey,
Warrington, WA5 3LP
Registered in England and Wales. Registered No 6559020

www.unitedutilities.com
www.unitedutilities.com/subsidiaries

Attached to the email is a file 12 October 2015 Invoice Summary.doc which comes in at least four different versions (VirusTotal results: [1] [2] [3] [4]) which contain a macro that looks like this example. Download locations spotted so far are:

ukenterprisetours.com/877453tr/rebrb45t.exe
eventmobilecatering.co.uk/877453tr/rebrb45t.exe
thewimbledondentist.co.uk/877453tr/rebrb45t.exe
cardiffhairandbeauty.co.uk/877453tr/rebrb45t.exe


All those download locations are on UK sites, but there are three apparently unrelated IP addresses in use:
46.20.120.64
109.108.129.21
213.171.218.221

This is saved as %TEMP%\gicage.exe and has a VirusTotal detection rate of just 1/56.  That VirusTotal report and this Malwr report indicate traffic to:

149.210.180.13 (TransIP BV, Netherlands)
86.105.33.102 (Data Net SRL, Romania)


I would recommend blocking traffic to both those IPs. The payload is the Dridex banking trojan.

Recommended blocklist:
149.210.180.13
86.105.33.102

MD5s:
6a95b030e91e804f73d14d14cb26e884
04e1476d464fafa559bd1bd8ea38749c
f7389b47c3dbe57f24dafb3b9a7818a2
b4b7a46938f9965169ca1dad29d2d8fc
40d4c1771caba32a2a25e4236f80b548





Malware spam: "Insurance" / "accounts@nolettinggo.co.uk"

This spam does not come from No Letting Go but is instead a simple forgery with a malicious attachment.

From     [accounts@nolettinggo.co.uk]
Date     Mon, 12 Oct 2015 11:43:16 +0330
Subject     Insurance

Dear all

Please find attached insurance paperwork including EL certificate.  Invoices
will follow at the beginning of November.

Regards

Karen
In the only sample I have seen so far, the attachment name is SKMBT_C36014102815580.doc which has a VirusTotal detection rate of 8/56. This particular document contains this malicious macro [pastebin] which downloads a malware component from the following location:

ukenterprisetours.com/877453tr/rebrb45t.exe 

The usual pattern is that there are several different versions of the document downloading from different locations, but the payload is the same in all cases. This binary is saved as %TEMP%\gicage.exe and has a detection rate of 2/56.

That VirusTotal report and this Hybrid Analysis report show network traffic to:

149.210.180.13 (TransIP BV, Netherlands)

I strongly recommend that you block or monitor traffic to this IP. The payload is the Dridex banking trojan.

MD5s:
6b0c1290d653a4f92a6214a9c91bd23b
04e1476d464fafa559bd1bd8ea38749c
  

Saturday, 10 October 2015

Scam: "Jim Bing [jim.bing@cn-registry.cn]" / "Huayin Ltd"


This email is part of a long-running Chinese domain scam:
From:    Jim Bing [jim.bing@cn-registry.cn]
Date:    10 October 2015 at 13:52
Subject:    Re:"slimeware"





Dear CEO,
(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.

We received an application from Huayin Ltd on October 9, 2015. They want to register " slimeware " as their Internet Keyword and " slimeware .cn "、" slimeware .com.cn " 、" slimeware .net.cn "、" slimeware .org.cn " 、" slimeware .asia " domain names etc.., they are in China and Asia domain names. But after checking it, we find " slimeware " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?


Best Regards,

Jim
General Manager 
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cn-registry.cn

Slimeware.com is an ancient site of mine that parodies adware companies. I doubt very much that anyone is trying to use this as a domain name for a legitimate business, and I couldn't care less if they did anyway. In fact, what is happening here is that the scammer "Jim Bing" (is he related to Terry Google?) is just trying to get you to panic and buy and overpriced and worthless domain name.

It's a pretty common scam, and I have explained the basics in the video below..


Friday, 9 October 2015

Malware spam: "Your latest DHL invoice : MSE7396821" / "e-billing.uk1@dhl.com"

This fake invoice spam is not from DHL, but is instead a simple forgery with a malicious attachment:

From:    e-billing.uk1@dhl.com
Date:    9 October 2015 at 09:54
Subject:    Your latest DHL invoice : MSE7396821



THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY

Dear Customer,

Please find attached your invoice in DOC format, dated 09/09/2015 for shipments and services supplied by DHL Express.

If you would like to download your invoice in a different format, click here to go to the DHL e-Billing website. You can also view your account details and on line invoice history here.

In the event of a problem with opening the attachment, please contact the e-Billing support team on 020 8831 5363 for assistance.

If you would like to verify the digital signature on this invoice, click here to go to the DHL e-Billing website and go to the FAQ section for instructions.

For all invoice content related queries, please contact 08442 480 777.

We look forward to receiving your payment in due course, and within the agreed credit terms as stated on your invoice.

We would like to thank you for using the services of DHL Express.

With kind regards,

The DHL e-Billing team


PROTECT YOUR PASSWORD

In the only sample I have seen, the attached file is named MSE7396821.doc and has a VirusTotal detection rate of 5/55. This contains a malicious macro [pastebin] which downloads a file from the following location:



flexicall.co.uk/fsf4fd32/8ik6sc.exe

There will undoubtedly be different versions of the document with different download locations. This binary is saved as %TEMP%\vtsAbd.exe and has a VirusTotal detection rate of 2/54. That VirusTotal report, this Malwr report and this Hybrid Analysis report show network traffic to:

86.105.33.102 (Data Net SRL, Romania)

I recommend that you block traffic to and from that IP address. The payload appears to be the Dridex banking trojan.

MD5s:
79b6080e3c2de566ee7c284a64f62a40
31f6d50a5757d5b5ba24a6f5dab01567

Thursday, 8 October 2015

Malware spam: "Deposit Payment" / "Frederico Kessler [Frederico.Kessler@Gamesys.co.uk]"

This fake financial email does not comes from Frederico Kessler but is instead a simple forgery with a malicious attachment:

From     Frederico Kessler [Frederico.Kessler@Gamesys.co.uk]
Date     Thu, 08 Oct 2015 04:14:23 -0700
Subject     Deposit Payment

Hi,

Attached is receipt of transfer regarding the deposit increase for our new contract
to the Cherry Tree Cottage.
Let me know if its all sorted.

Frederico Kessler
Product Owner | Games Platform
[cid:9DCD81C9-9267-4802-AAE1-B3AF9887E131]
[gamesysign]
4th Floor, 10 Piccadilly
London, W1J 0DD

Email: frederico.kessler@gamesys.co.uk

Attached is a malicious Excel document named Payments Deposit.xls which comes in five different versions (so far) [1] [2] [3] [4] [5] each containing a slightly modifed macro [example] which downloads a malicious executable from the following locations:

archives.wnpvam.com/bvcb34d/983bv3.exe
swaineallen.uk/bvcb34d/983bv3.exe
katastimataone.com/bvcb34d/983bv3.exe
vsehochuti.unas.cz/bvcb34d/983bv3.exe
dmedei.3x.ro/bvcb34d/983bv3.exe


These download locations have been in use for a couple of other spam runs [1] [2] but now the payload has been altered and has a VirusTotal detection rate of 3/56.  That VirtusTotal report and this Hybrid Analysis report show traffic to:

198.61.187.234 (Rackspace, US)

I recommend that you block traffic to that IP.

MD5s:
5bddf5271b1472eca61a6a2d66280020
8df205eff019378f33c7b512f81a2087
aa93cbf333d1dcaf1408207938dbd5c3
d7a5bf7ae458e3584a01d1c5df0186db
59cd64d7e98f71870b6746ecb4b31b40
fa31f4fced30b9b1a720f4072afde32d


Malware spam: "Invoice for Payment" / "CivicaReports@plymouth.gov.uk"

This fake invoice spam foes not come from Plymouth City Council but is instead a simple forgery with a malicious attachment.

From     [CivicaReports@plymouth.gov.uk]
Date     Thu, 08 Oct 2015 14:03:31 +0400
Subject     Invoice for Payment

THIS IS A POST-ONLY EMAIL. PLEASE DO NOT REPLY TO THIS MESSAGE. THIS
EMAIL ADDRESS
IS NOT MONITORED FOR RESPONSES.

From: Plymouth LIVE SYSTEM (New)

Please find attached your invoice for payment in accordance with our
agreed terms and conditions.

The invoice is sent in PDF format. Double click on the attachment to
open the file.

PDF files require Adobe Acrobat Reader to view them. Download Adobe
Acrobat Reader
free of charge from the Adobe website at www.adobe.com/products/reader


For enquiries specifically relating to this invoice, please e-mail :
incomes@plymouth.gov.uk

This e-mail is confidential and intended for the exclusive use of the
addressee.

Any views or opinions expressed in this e-mail do not necessarily
represent those of Plymouth City Council, and are not to be relied upon
without subsequent written confirmation by an authorised representative.
If you are not the addressee, any disclosure, reproduction,
distribution, forwarding, or other dissemination or use is strictly
prohibited. If you have received this e-mail in error please notify the
Plymouth City Council Transaction Centre (incomes) helpdesk on 01752
304443

Plymouth City Council, The Civic Centre, Armada Way, Plymouth, PL1 2AA.

Telephone : 01752 668000 Website : www.plymouth.gov.uk
There are at least four different version of the document in circulation, each containing a malicious macro. Download locations spotted so far are:

katastimataone.com/bvcb34d/983bv3.exe
vsehochuti.unas.cz/bvcb34d/983bv3.exe
swaineallen.uk/bvcb34d/983bv3.exe
archives.wnpvam.com/bvcb34d/983bv3.exe


The payload is exactly the same as used in this spam run.

MD5s:
bb4d2d606091de154e81e292036981c8
80fba8c6b4947cea3d55cef66515d70f
1f5d975dedd140e62f794993792d906b
de413dd09e70e1dc48c5060afe3f87f0
70570b4d1806a25414959d7967bb542f

Malware spam: "Receipt from Norfolk Dance" / "[info@norfolkdance.co.uk]"

This fake financial email is not from Norfolk Dance but is instead a simply forgery with a malicious attachment:

From     "info" [info@norfolkdance.co.uk]
Date     Thu, 08 Oct 2015 12:39:28 +0300
Subject     Receipt from Norfolk Dance

Please find receipt for payment attached.

Many Thanks

Norfolk Dance
14 Chapel Field North
Norwich
Norfolk
NR2 1NY
Telephone: 01603 283399
E mail: info@norfolkdance.co.uk
Attached is a file Receipt.doc which I have seen in two different versions (VT detection rate 4/56 and 3/56) each containing a different malicious macro [1] [2] [Pastebin] which download a malicious binary from one of the following locations:

katastimataone.com/bvcb34d/983bv3.exe
archives.wnpvam.com/bvcb34d/983bv3.exe


This is saved as %TEMP%\fDe12.exe and currently has a VirusTotal detection rate of 4/55. The VirusTotal report indicates traffic to the following IP:

198.61.187.234 (Rackspace, US)

I recommend that you block traffic to this IP. Automated analysis is pending (check back later) but the payload is almost definitely the Dridex banking trojan.

MD5s:
bb4d2d606091de154e81e292036981c8
80fba8c6b4947cea3d55cef66515d70f
1f5d975dedd140e62f794993792d906b
de413dd09e70e1dc48c5060afe3f87f0
70570b4d1806a25414959d7967bb542f


Update:
The Hybrid Analysis report for the DOC file is here, and their analysis of the executable is available here with a Malwr report also here.

Wednesday, 7 October 2015

Malware spam: "Scanned document from MX-2600N"

This fake scanned document has a malicious payload attached.:

From:    xerox@victimdomain.tld
Reply-To:    xerox@victimdomain.tld
Date:    7 October 2015 at 10:08
Subject:    Scanned document from MX-2600N


Reply to: xerox@victimdomain.tld victimdomain.tld
>
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set

File Format: XLS MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned document in XLS format.
Use Microsoft(R)Excel(R) to view the document.Attached is a file in the format xerox@victimdomain.tld_20151007_160214.xls (where victimdomain.tld is the victim's own domain), which has a VirusTotal detection rate of 3/56. This Excel file contains a malicious macro [pastebin] which in THIS case downloads a binary from the following location:

alarmtechcentral.com/fw43t2d/98kj6.exe

There will be other versions of the XLS file which will download components from other locations, however the payload will be the same, and it currently has a detection rate of 2/56. The VirusTotal report indicates traffic to:

84.246.226.211 (ELB Multimedia, France)

Blocking traffic to and from that IP is recommended.

Automated analysis is pending, please check back later. The payload is probably the Dridex banking trojan.

UPDATE
Here are the Hybrid Analysis reports for the XLS file and executable.

Tuesday, 6 October 2015

Malware spam: "...has sent you a file via WeTransfer"

This fake "WeTransfer" spam comes with a malicious payload.


info@ucaqld.com.au has sent you a file via WeTransfer
1 message

WeTransfer 6 October 2015 at 13:36
To: [redacted]
info@ucaqld.com.au
sent you some files
‘Hey Nicole,
I have given you these federal reminder

Many thanks

Stacey'
Download
Files (101 KB total)
Document.doc
Will be deleted on
07 Oct, 2015
Get more out of WeTransfer, get Plus
About WeTransfer Contact= Legal Powered by Amazon Web Services

In this case, the malicious link is actually at..

storage-hipaa-2.sharefile.com/download.ashx?dt=dt3b07281f2b9440708a4b8a411e2f0e18&h=WAOCUIfIJJIYoHSVimogW83t4TXwSsltx0MYcStbmyQ%3d

The attachment is malicious in nature, but analysis is still pending. In the meantime, here is an initial Hybrid Analysis report.

Malware spam: "Copy of Invoice(s)" / "Anny Beckley [Anny@hammondsofknutsford.co.uk]"

This fake financial spam does not come from Hammonds of Knutsford but is instead a simple forgery with a malicious attachment:

From     Anny Beckley [Anny@hammondsofknutsford.co.uk]
Date     Tue, 06 Oct 2015 12:29:23 +0430
Subject     Copy of Invoice(s)

Please find attached a copy of Invoice Number(s) 82105
In the two samples that I have seen, the attached file was named Q_46Q0VWHU4.DOC with a VirusTotal detection rate of 7/56. This document contains a malicious macro [pastebin] which downloads a further component from the following location:

rothschiller.net/~medicbt9/65yg3f3/43g5few.exe

This currently has a detection rate of just 1/56 and it appears to be saved as %TEMP%\rrdDhhm.exe Note that there are usually several different document versions spammed out with different download locations, but the payload is the same in every case.

Automated analysis is pending, but the payload is almost definitely the Dridex banking trojan.

UPDATE: 
The Hybrid Analysis report for the document is here and the analysis of the dropped executable is here showing the malware phoning home to 84.246.226.211 (ELB Multimedia, France)

Monday, 5 October 2015

Malware spam: "Your Invoices - Incident Support Group Ltd" / "repairs@isgfleet.co.uk"

This fake financial spam is not from Incident Support Group Ltd but is instead a simple forgery with a malicious attachment:

From     repairs@isgfleet.co.uk
Date     Mon, 05 Oct 2015 15:47:11 +0700
Subject     Your Invoices - Incident Support Group Ltd

Please find attached your invoices from Incident Support Group Ltd. If you wish to
change the email address we have used please email repairs@isgfleet.co.uk with the
correct details.
In the sample I saw, the attached file was 216116.xls which has a VirusTotal detection rate of 6/56 and contains this malicious macro [pastebin] which then downloads a compenent from the following location:

agridiotiko.com/432/4535.exe

Note that at the time of writing, I only have one sample of this. There are usually several versions of the attachment in these spam runs, with different download locations. The malicious binary has a detection rate of 4/56.

The VirusTotal report and this Hybrid Analysis report indicate traffic to:

84.246.226.211 (ELB Multimedia, France)

Blocking or monitoring traffic to and from the port would probably be prudent. The payload is most likely the Dridex banking trojan.

UPDATES:
Other download locations spotted so far:

www.poncho-zwerfkatten.be/432/4535.exe
conserpa.vtrbandaanchanet/432/4535.exe
www3.telusnet/~a7a78529/432/4535.exe
216.119.122167/432/4535.exe

MD5s:
87b01608b8170029816df5eed11cd9c5
2c78ee663f0e0f6a4f651e92afaf243e
75d87be2b43a61d35e938393be0633d5
ce94c036dac774b3cb8c7a07ff333c7f
29b56ddfab41f92b0447783e1ef6ccd8
896b4edc333dba1bb533b9ca18549fe7

Thursday, 1 October 2015

Malware spam: "Please print" / "Chelsee Gee" [chelsee@ucblinds.co.uk]

This fake financial spam is a simple forgery with a malicious attachment:

From     "Chelsee Gee" <chelsee@ucblinds.co.uk>
To     <samantha@longmore.me.uk>
Date     Thu, 01 Oct 2015 18:51:16 +0700
Subject     Please print

Kind Regards

Chelsee Gee

UC Blinds Limited
1150 Stratford Road
Hall Green
Birmingham
B28 8AF


Tel:  0121 777 3092
Fax:  0121 777 3143
Email:  chelsee@ucblinds.co.uk
Website:   <http://www.ucblinds.co.uk/> www.ucblinds.co.uk



All types of Commercial and Domestic Window Blinds â–ª Made to Measure Curtains â–ª
Awnings and Canopies â–ª Grilles and Shutters â–ª Internal Plantation Shutters â–ª
Window Film â–ª Cleaning and Repairs.

Company No:   7215441
Registered Address:  Nairn House, 1174 Stratford Road, Hall Green, Birmingham, B28
8AQ.

This email is confidential.  If you are not the intended recipient then you must
not copy it, forward it, use it for any purpose, or disclose it to another person.
Instead please return it to the sender immediately.  Please then return and delete
your copy from your system.  Thank you.
Note that the email in my sample is slightly mangled and might not be the same as yours. I received several copies of this, and the normal method is that there are several different email attachments, however I will look at just one. Named Order-SO00653333-1.doc this file has a detection rate of 6/56, and it contains this malicious macro [pastebin].

The Hybrid Analysis report for this particular document shows the malware downloading from:

hobby-hangar.net/123/1111.exe

Other locations are:

miastolomza.pl/123/1111.exe
www.ifdcsanluis.edu.ar/123/1111.exe
www.norlabs.de/123/1111.exe
zahnrad-ruger.de/123/1111.exe


This binary has a VirusTotal detection rate of 2/56 and the Hybrid Analysis report for that is here.

The payload is the Dridex banking trojan, and in fact this is the first Dridex I have seen in over a month after some of the alleged perpatrators were arrested.

Recommended blocklist:
miastolomza.pl
ifdcsanluis.edu.ar
norlabs.de
zahnrad-ruger.de
hobby-hangar.net

Wednesday, 30 September 2015

Malware spam: "FW : Incoming SWIFT" / "Clyde Medina" [Clyde.Medina@swift.com]

This fake banking email comes with a malicious attachment:

From     "Clyde Medina" [Clyde.Medina@swift.com]
Date     Wed, 30 Sep 2015 12:35:56 GMT
Subject     FW : Incoming SWIFT

We have received this documents from your bank regarding an incoming SWIFT transfer.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom
the message was addressed. If you are not the intended recipient of this message,
please be advised that any dissemination, distribution, or use of the contents of
this message is strictly prohibited. If you received this message in error, please
notify the sender. Please also permanently delete all copies of the original message
and any attached documentation. Thank you.

Attached is a file SWIFT_transfer.zip which contains a malicious executable SWIFT_transfer.scr which currently has a detection rate of 2/56.

Automated analysis is pending, although the payload is almost definitely Upatre/Dyre. Please check back later.

UPDATE:
The Hybrid Analysis report shows Upatre/Dyre activity, including the malware phoning home to a familiar IP address of 197.149.90.166 in Nigeria which I recommend you block or monitor.

Tuesday, 29 September 2015

Malware spam "Info from SantanderBillpayment.co.uk" / "Santanderbillpayment-noreply@SantanderBillPayment.co.uk"

This fake financial spam comes with a malicious attachment:

From     "Santanderbillpayment-noreply@SantanderBillPayment.co.uk" [Santanderbillpayment-noreply@SantanderBillPayment.co.uk]
Date     Tue, 29 Sep 2015 12:33:56 GMT
Subject     Info from SantanderBillpayment.co.uk

Thank you for using BillPay. Please keep this email for your records.

The following transaction was received on 29 September 2015 at 09:11:36.

Payment type:          VAT
Customer reference no: 0343884
Card type:            Visa Debit
Amount:                GBP 4,683.00

For more details please check attached payment slip.

Your transaction reference number for this payment is IR0343884.

Please quote this reference number in any future communication regarding this payment.

Yours sincerely,

Banking Operations

This message is intended for the named person above and may be confidential, privileged
or otherwise protected from disclosure. If it has reached you by mistake please contact
the sender on 0300 200 3601 and delete the message immediately.


**PLEASE DO NOT REPLY TO THIS E-MAIL, AS WE WILL NOT BE ABLE TO RESPOND**
Emails aren't always secure, and they may be intercepted or changed after they've
been sent. Santander doesn't accept liability if this happens. If you think someone
may have interfered with this email, please get in touch with the sender another
way.
This message doesn't create or change any contract. Santander doesn't accept responsibility
for damage caused by any viruses contained in this email or its attachments. Emails
may be monitored. If you've received this email by mistake, please let the sender
know at once that it's gone to the wrong person and then destroy it without copying,
using, or telling anyone about its contents.

Santander Corporate Banking is the brand name of Santander UK plc, Abbey National
Treasury Services plc (which also uses the brand name of Santander Global Banking
and Markets) and Santander Asset Finance plc, all (with the exception of Santander
Asset Finance plc) authorised and regulated by the Financial Services Authority,
except in respect of consumer credit products which are regulated by the Office of
Fair Trading. FSA registration numbers: 106054, 146003 and 423530 respectively.
Registered offices: 2 Triton Square, Regent's Place, London NW1 3AN and Carlton Park,
Narborough LE19 0AL. Company numbers: 2294747, 2338548 and 1533123 respectively.

Registered in England. Santander and the flame logo are registered trademarks.
The attachment is named SantanderBillPayment_Slip0343884.zip although I have not been able to get a working copy. The payload is most likely the Upatre/Dyre banking trojan. My sources tell me that the current wave of this is phoning home to 197.149.90.166 in Nigeria which is worth blocking or monitoring.