Sponsored by..

Monday, 26 October 2015

Fake seminar sites to avoid, registered to vravindhar@yahoo.com

A contact tipped me off to some fake financial seminar sites, all linked to the email address vravindhar@yahoo.com. They are promoted in spam emails similar to these:

From: rob.koster@fatcacomplianceinstitute.com [mailto:rob.koster@fatcacomplianceinstitute.com]
Sent: Wednesday, August 05, 2015 8:33 AM
To: redacted
Subject: FATCA Compliance - [redacted]
Importance: High

Dear Participants,

We are pleased to announce you that FATCA Compliance Institute is conducting a 2 day practical seminar on FATCA Compliance.

This seminar is going to be repeated and held thrice:
[redacted]

The seminar is open to all the Banking & Financial Professionals. The seminar particulars are attached with this mail.

Last date for enrolling your participation is [redacted], 2015.

Please contact for assistance.

Truly,
Rob Koster
Seminar Secretary
Tel:+31-800-020-0534(Netherlands and Other EU Countries) 
       +1-312-625-0112(All Other Countries)
FAX:+31-800-020-0534

And also..

 From: alfred@pacibankers.com [mailto:alfred@pacibankers.com]
Sent: Wednesday, February 11, 2015 11:50 AM
Subject: Asset Management Auditing and Internal Accounting Controls - [redacted]
Importance: High




Asset Management Auditing and Internal Accounting Controls - 2 Day Program

Dear Delegate
Pacific Standards (www.pacificstandards.com) would like to invite representatives from your organization to attend the above mentioned program scheduled for 2015. We are limiting the number of participants for each cluster to 20, as the courses are designed to be interactive and to encourage discussion and the exchange of ideas.

Program Dates:      Cluster I – February 25 - 26, 2015 
                                      Cluster II – March 9 - 10, 2015                                  
                                      Cluster III - March 18 - 19, 2015 
                                      Cluster IV- April 6 - 7, 2015
                                      Cluster V- April 15 - 16, 2015
                                 
Venue: {redacted}
We invite you to nominate individuals from your respective organization. It is also important to stress that all available slots will be filled on a first come first serve basis. Please advise your colleagues to attend and take advantage of this valuable and pivotal workshop.(Please see the attached brochure for complete course coverage).
Early Registration Deadline is February 15, 2015 
Last Date of Registration is February 17, 2015 


Looking forward for an early reply.

Thanks & Regards,
Alfred
Pacific Standards
Marketing Manager
Contact Number: +91-8801-990-204

Emails are sent from 159.253.145.90 (Softlayer, Netherlands). The registrant details look like this on most of the domains:
Registry Registrant ID:
Registrant Name: Ravindhar V
Registrant Organization:
Registrant Street: office:7, sushant lok , sushant estate
Registrant City: gugaon
Registrant State/Province: Haryana
Registrant Postal Code: 122002
Registrant Country: India
Registrant Phone: +91.9999960651
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: vravindhar@yahoo.com
Registry Admin ID:
The emails specifically target the finance sector with what appear to be relevant seminars and services, however once payment has been received there is reportedly no further communication and no seminars.

There are a large number of related sites, some using several different domains. There are virtually zero references to these "organisations" on Google, and a close examination of the sites shows several red flags.

Pacific Standards

Claiming to be in Singapore, but boasting an Indian phone number of +91-8801990204, this outfit claims to be part of "Grenoble Learning". Neither Pacific Standards nor Grenoble Learning actually appear to exist.


Domains used:
pacificstandards.com
pacibankers.com
pacific-compliance.com
pacificstan.cc
pacificstan.com
pacificstandards.org

Brown & Co

This claims to be based as 12 Flemington Street, Glasgow but quotes a US contact number of 1-800-BRO-CORP / 1-800-246-8115.  There are many, many companies in the UK with the name "Brown & Co", but where you would expect to see number 12 on that street.. there appears to be a car park.

Domains used:

beta-essentials.me
browncorpuk.org
browncorp.co
betaeventhub.org
betaeventhub.org
betaessentials.in

FATCA Compliance Institute

A quick Google search for "FATCA Compliance Institute" reveals exactly zero reliable references to this important-looking organisation, boasting contact details in both India and The Netherlands.
15-66 plot 101 Prabhu Nagar
Poranki 521137.
Tel:+31-800-020-0534(Netherlands and Other EU Countries)
FAX:+31-800-020-0534 (ONLY EU)
FAX: +31-20-524-1592 (ALL COUNTRIES)
USA Tel: +1-312-625-0112 (All other Countries)
Email: director@fatcacompliance.cc

Corporate Office:

Keizersgracht 209
1006 DT Amsterdam
The Netherlands
The Netherlands Toll-Free:
Tel:+31-800-020-0534
FAX:+31-800-020-0534

USA Tel: +1-312-625-0112 (All other Countries)
Email: director@fatcacompliance.cc

Domains used:

fatcacomplianceinstitute.org
fatcacomplianceinstitute.com
fatcacompliance.cc
fatcacompliance.net
fatcacompliance.org

Rightman Group

The web site here looks very slick. But if you Google for snippets of somewhat ungrammatical text (such as "But, one things remains unchanged – our dedication to doing the best work in the world.") you will find that there are hundreds of sites using the exact same template. Rightman Group has the following contact details listed:

Rightman Group
 United States
199 Scott Street
Suite 810
Buffalo, NY 14204
+1-716-217-2817
USA call charges apply.
---------
 Dreikönigstrasse 30
Zürich, Switzerland
----------
+41-43-508-1974 

The New York State Division of Corporations has no such company as "Rightman Group" listed.


Domains used:

rightmangroup.com
rightman.eu
rightman.cc
rightmangroup.net
rightmangroup.org

Swiss Dossier

I can only imagine that the name "Swiss Dossier" came about through an error in autotranslation. It lists several addresses:

info@swissdossier.com(General)
offices@swissdossier.com(Training Programs)

Tel:  +1-786-235-8424(USA)

Our Global offices are located at:
19th Floor, Prudential Towers(North Side)
Office no: 1901
Chulia Street
Singapore

Aeschenvorstadt, 405
Basel,
Switzerland

79 Thornall Street,
6th Floor, Edison, NJ 08837.
New Jersy
USA

70 Sheppard Avenue, Suite 301,
North York, Ontario M2N 3A4,
Canada

A Google search for "swissdossier.com" comes up with no independent and reliable references to this so-called company.


Domains used:

swissdossier.com
swissdossier.cc
swissdossier.com.co

Treasury Management Institute

According to Companies House in the UK, there is no company in the UK with the name "Treasury Management Institute". The contact details indicate that this is perhaps the workplace of John or Jane Doe:

Email : 
 jdoe@treasurymanagementinstitute.com
 jdoe@treasurymanagementinstitute.cc
Addresses:
01, Temple Quay, Temple Back East, Bristol, BS1 6DZ, UK
SWConsulting Group, Sec 42 Gurgaon, India(Institute operates under the licence of SWConsulting Group)
There are no independent references to this organisation existing in Bristol.


Domains used:

treasurymanagementinstitute.com
treasurymanagementinstitute.cc
treasurymanagementinstitute.org

Financial Models India

Sharing the same contact details as some of these other highly questionable sites, and hosted on the same infrastructure, Financial Models India would appear to fail the Duck Test.

79 Thornall Street,
6th Floor, Edison, NJ 08837,
New Jersy,
USA

19th Floor,
Prudential Towers (North Side),
Office no: 1901,
Chulia Street, Singapore

Aeschenvorstadt, 405,
Basel, Switzerland

70 Sheppard Avenue,
Suite 301, North York,
Ontario M2N 3A4,
Canada

DLF Square M Block,
Jacaranda Marg DLF City, Phase II,
Gurgaon 122002, INDIA  

Domains used:

financialmodelsindia.com
financialmodels.co.in
fmtsglobal.com
unitedcapital-financialmodels.com
unitedcapitalglobal.com

Virat World Wide

This appears to be the firm or individual behind these sites. The "About Us" page says:

Ravindhar.V - Managing Director

Mr. Ravindhar is an able administrator and change master. He has rich experience in thearea of Financial Information Technology(FIT). He has developed financial software products and Information Technology management solutions for financial institutions and banks in more than a fifty countries and for top global Banks and companies. His qualification is Master of Finance and Accounting with a track of computer applications in Finance and Accounting(MFA). Mr.Ravindhar comes from Business Family of Poranki Sugars and his family is a legacy of entrepreneurs based in India. Group is widely respected by the industry.
I'm guessing the the "V" stands for "Virat", making him "Ravindhar Virat". The contact details list an address in the... errr. UNITED KIGDOM.

Global Support
+919-618-921-876
customersupport@virat.consulting
120, CENTRAL STREET
CLERKENWELL
LONDON
UNITED KIGDOM
This address is actually a hotel. The +91 telephone number is a number in India, not the UK.


Domains used:

virat.consulting
virat-transitionalhunts.biz
virat-th.co.in

Other domains

The other domains (mostly now defunct or with no content) also appear to belong to the same operator:

financialmodelsglobal.net
fortunicia-munich.org

europiafintech.com
europiafintech.net

fisher-n-moreglobal.com
fishernmore-global.org
fmg-singapore.org

intrinsic-pulse.com
intrinsic-pulse.asia


baselknowledge.net
clarklc.com
luthanskane.in
panarab-consulting.in
porankisugars.org
profectuspartners-singapore.com
proximitycorp.org
rfb-research.net
sino-overseasholdings.org
stermarc-worldwide.com
vertasbar.net

If you have any experiences with any of these "companies", feel free to leave a comment.






Malware spam: "Your new PHS documents are attached" / "PHSOnline" [documents@phsonline.co.uk]

This spam does not come from PHSOnline, but is instead a simple forgery with a malicious attachment.

From     "PHSOnline" [documents@phsonline.co.uk]
Date     Mon, 26 Oct 2015 20:28:50 +0700
Subject     Your new PHS documents are attached
I don't have a copy of the body text for these messages, but the attachment is named G-A0287580036267754265.doc which comes in three different versions (VT results [1] [2] [3]) containing a macro like this [pastebin] which downloads a malicious binary from one of the following locations:

tranquilosurf.com/~info/76r56e87y8/65df78.exe
masaze-rumburk.cz/76r56e87y8/65df78.exe
img1.buyersbestfriend.com/76r56e87y8/65df78.exe


The Hybrid Analysis reports those those documents are here: [1] [2] [3]. The file is saved as %TEMP%\ZipCock32.exe and this has VirusTotal detection rate of just 1/55. The Hybrid Analysis report for this binary shows it downloading from the following location:

195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)

This is almost definitely the Dridex banking trojan. Note that the documents and download locations appear to be the same as the one use in this earlier attack, but the payload has now changed.


Malware spam: "#NC-242455-Zmj Your Norwich Camping Order has shipped!" / sales@norwichcamping.co.uk

This fake financial spam does not come from Norwich Camping but is instead a simple forgery with a malicious attachment:

From     "Norwich Camping" [sales@norwichcamping.co.uk]
Date     Mon, 26 Oct 2015 13:43:14 +0430
Subject     #NC-242455-Zmj Your Norwich Camping Order has shipped!

You Norwich Camping & Leisure order "#NC-242455-Zmj" has now been shipped. Your chosen
payment method has now been charged.

Kind regards,
The Norwich Camping & Leisure
Attached is a file invoice-2425.doc of which I have only seen a single sample so far with a VirusTotal detection rate of 5/55. The document contains this malicious macro [pastebin] which apparently downloads a malicious binary to %TEMP%\|ZipCock32.exe

Analysis of the document and the payload is pending (please check back later), it is most likely that it downloads the Dridex banking trojan.

UPDATE:

According to this Hybrid Analysis report version of the malicious document downloads an executable from:

img1.buyersbestfriend.com/76r56e87y8/65df78.exe

This has a VirusTotal detection rate of 5/55. That report indicates malicious traffic to:

195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)

I recommend that you block traffic to that IP.

Friday, 23 October 2015

Malware spam: "Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)"

This fake financial spam has a malicious attachment:

From:    Accounts [message-service@post.xero.com]
Date:    23 October 2015 at 15:08
Subject:    Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)

Hi Mattie,

Attached is your credit note CN-06536 for 8954.41 GBP.

This has been allocated against invoice number

If you have any questions, please let us know.

Thanks,
Avnet, Inc.
The message is neither from Avnet, Xero or Trump Hotels, but is a simple forgery. Attached is a file Credit Note CN-06536.doc ..  but  it's actually a ZIP file rather than a DOC file. Whoops. Renaming the .DOC to .ZIP creates a valid archive, and the executable inside is named Credit Note CN-83607.exe  and has a VirusTotal detection rate of 4/55. VT identifies this as Upatre which implies that the payload is the Dyre banking trojan.

Analysis is still pending for this malware (please check back later) but the current version of Update/Dyre phones home to 197.149.90.166 (Cobranet, Nigeria) which I strongly recommend you block.

UPDATE:
The Hybrid Analysis report is here, reporting the Nigerian IP and also showing that the malware saves itself as:
%TEMP%\homebast.exe
C:\Windows\mLunoMqU.exe




Malware spam: "DocuCentre-V C6675 T2" / "Scan Data from FX-D6DBE1"

This fake document scan appears to originate from within the victim's own organisation, but doesn't. Instead it comes with a malicious attachment.

From:    DocuCentre-V C6675 T2 [reception@victimdomain.com]
Reply-to:    reception@victimdomain.com
Date:    23 October 2015 at 09:23
Subject:    Scan Data from FX-D6DBE1

Number of Images: 1
Attachment File Type: DOC

Device Name: DocuCentre-V C6675 T2
Device Location:
Attached is a file 22102015160213-0001.doc which comes in a few different versions. The payload is Dridex and all the files and downloaded binaries are the same as used in this spam run.

Malware spam: "cleaning invoice" / "deborah Sherer" [thesherers@westnet.co.uk]

This fake financial spam comes with a malicious attachment:
From     "deborah Sherer" [thesherers@westnet.co.uk]
Date     Fri, 23 Oct 2015 17:03:19 +0700
Subject     cleaning invoice

Hello

attached is invoice for payment

thanks

Deborah Sherer

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Attached is a file Cleaning022958.doc which comes in three different versions (VirusTotal results [1] [2] [3]) containing a macro that looks like this [pastebin] and downloads a malicious binary from one of the following locations:

www.bhtfriends.org/tydfyyur54/43e67tko.exe
zomb.webzdarma.cz/tydfyyur54/43e67tko.exe
nisanyapi.com/tydfyyur54/43e67tko.exe

This is saved as %TEMP%\lenderb2.exe and has a VirusTotal detection rate of just 1/55 (that's just a generic detection by Kaspersky).

That VirusTotal report plus this Hybrid Analysis report show network traffic to:

195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)

Private sources also identify these following IPs as part of the C2 infrastructure:

157.252.245.49 (Trinity College Hartford, US)
198.74.58.153 (Linode, US)
68.168.100.232 (Codero, US)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
195.154.251.123
157.252.245.49
198.74.58.153
68.168.100.232

MD5s:
d897c1cdab10a2c8cb5ce95bff03411f
a4bdc332d9cecafcc8381cd6e5ff4667
16fabe48278f84f8ae1bc682a3bd71d7
c08519230b49ad87bc6aa12933aa0cec


Thursday, 22 October 2015

Malware spam: "Notice to Appear" / Notice_to_Appear_00800614.zip

This fake legal spam comes with a malicious attachment:

From:    District Court
Date:    22 October 2015 at 19:03
Subject:    Notice to Appear

Notice to Appear,

This is to inform you to appear in the Court on the October 27 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can review complete details of the Court Notice in the attachment.

Sincerely,
Michael Newell,
District Clerk.

Attached is a file Notice_to_Appear_00800614.zip which in turn contains a malicious script Notice_to_Appear_00800614.doc.js which looks like this [pastebin]. This obfuscated script translates into something a bit more understandable which clearly references the following domains:

www.flowarrior.com
www.abama.org
littlefacesofpanama-association.com

The Hybrid Analysis report  shows that it downloads a file as %TEMP%\5883173.exe which has a VirusTotal detection rate of 5/55 (possibly Cridex). It reference the following IPs as being highly suspect:

91.121.108.77 (OVH, France)
78.24.220.229 (TheFirst-RU, Russia)

A large number of IPs are queried according to that report:

66.147.244.241 80 TCP United States
ASN: 46606 (Unified Layer)

Possibly Malicious (Details)
78.24.220.229 80 TCP Russian Federation
ASN: 29182 (ISPsystem, cjsc)
74.231.32.162 80 TCP United States
118.120.73.233 80 TCP China
29.225.112.86 80 TCP United States
100.73.14.38 80 TCP Reserved
58.101.131.47 80 TCP China
123.59.97.196 80 TCP China
166.32.216.239 80 TCP United States
149.91.92.120 80 TCP United States
24.216.168.199 80 TCP United States
105.140.148.131 80 TCP Morocco
163.58.44.144 80 TCP Japan
142.84.237.228 80 TCP Canada
15.108.255.248 80 TCP United States
220.168.3.242 80 TCP China
169.69.97.65 80 TCP United States
136.48.1.199 80 TCP United States
193.224.232.11 80 TCP Hungary
46.156.117.74 80 TCP Norway
15.73.25.4 8080 TCP United States
156.95.94.161 80 TCP United States
2.95.43.213 80 TCP Russian Federation
201.112.96.9 443 TCP Mexico
168.202.241.83 80 TCP Italy
126.200.226.38 80 TCP Japan
218.169.88.145 80 TCP Taiwan; Republic of China (ROC)
25.227.76.74 80 TCP United Kingdom
7.58.91.181 80 TCP United States
2.9.47.33 80 TCP France
82.64.212.187 80 TCP France
160.252.229.129 80 TCP Japan
3.19.211.174 80 TCP United States
206.36.90.112 80 TCP United States
70.162.95.85 80 TCP United States
179.74.44.184 80 TCP Brazil
27.60.28.101 80 TCP India
72.131.92.208 80 TCP United States
192.15.148.68 80 TCP United States
161.183.113.148 80 TCP United States
89.194.8.74 80 TCP United Kingdom
74.60.141.199 443 TCP United States
185.124.201.36 80 TCP Germany
57.254.22.27 80 TCP Belgium
223.212.109.175 443 TCP China
184.128.6.160 80 TCP United States
222.26.8.100 80 TCP China
201.80.124.250 80 TCP Brazil
28.245.107.140 8080 TCP United States
7.205.88.91 80 TCP United States
134.208.174.118 443 TCP Taiwan; Republic of China (ROC)
101.42.94.123 80 TCP China
89.184.155.55 8080 TCP Denmark
73.136.226.227 80 TCP United States
92.242.113.252 80 TCP Ukraine
183.80.180.237 80 TCP Viet Nam
189.217.246.252 80 TCP Mexico
162.124.240.218 80 TCP United States
169.244.37.32 80 TCP United States
121.213.170.136 8080 TCP Australia
91.121.108.77 80 TCP France
161.187.226.73 8080 TCP Canada
160.124.108.194 8080 TCP South Africa
132.201.159.171 80 TCP United States
36.136.60.81 80 TCP China
155.159.37.116 80 TCP South Africa
139.171.227.16 80 TCP United States
119.243.117.9 443 TCP Japan
42.199.100.99 80 TCP China
170.225.41.44 80 TCP United States
27.122.177.126 80 TCP Korea Republic of
151.75.83.209 80 TCP Italy
203.207.191.222 8080 TCP China
208.97.41.75 80 TCP United States
179.184.50.147 80 TCP Brazil
126.155.24.64 80 TCP Japan
86.14.23.181 80 TCP United Kingdom
182.162.87.90 80 TCP Korea Republic of
126.85.62.33 80 TCP Japan
96.60.99.19 80 TCP United States
118.123.163.35 80 TCP China
69.190.137.38 80 TCP United States
49.56.139.124 80 TCP Korea Republic of
135.35.59.201 80 TCP United States
57.25.34.69 80 TCP Belgium
174.190.210.89 80 TCP United States
206.91.83.240 80 TCP United States
16.143.86.194 80 TCP United States
99.212.19.159 80 TCP Canada
171.214.61.169 80 TCP China
194.184.155.135 80 TCP Italy
98.30.91.219 80 TCP United States
30.130.130.227 80 TCP United States
201.231.21.9 80 TCP Argentina
10.85.253.242 8080 TCP Reserved
41.70.25.98 80 TCP Malawi
2.239.93.99 80 TCP Italy
178.216.173.66 80 TCP Ukraine
102.239.48.12 80 TCP Indonesia
170.229.125.27 443 TCP United States
170.202.85.86 80 TCP United States
138.204.51.115 80 TCP Brazil
90.59.134.25 80 TCP France
179.105.47.26 80 TCP Brazil
190.128.247.9 80 TCP Paraguay
62.74.109.148 80 TCP Greece
39.6.23.63 80 TCP Korea Republic of
199.12.247.12 80 TCP United States
1.235.148.23 80 TCP Korea Republic of
128.166.232.112 80 TCP United States
198.12.245.130 80 TCP United States
180.59.204.28 80 TCP Japan
191.205.91.94 443 TCP Brazil
166.97.6.127 80 TCP United States
35.174.179.31 80 TCP United States
202.94.163.179 80 TCP Malaysia
199.2.172.193 80 TCP United States
36.4.249.54 80 TCP China
87.60.146.60 80 TCP Denmark
159.157.156.108 80 TCP United States
41.103.3.7 80 TCP Algeria
190.5.47.228 80 TCP Chile
102.197.139.86 8080 TCP Indonesia
79.181.62.136 80 TCP Israel
196.221.146.64 8080 TCP Egypt
45.215.43.254 80 TCP Zambia
133.50.67.191 443 TCP Japan
197.187.96.58 80 TCP Tanzania United Republic of
81.11.14.8 80 TCP European Union
165.216.148.197 80 TCP United States
26.159.93.175 80 TCP United States
55.192.224.240 80 TCP United States
99.183.118.77 8080 TCP United States
97.132.112.64 80 TCP United States
161.158.216.248 80 TCP Netherlands
171.36.6.24 80 TCP China
86.17.207.59 80 TCP United Kingdom
65.170.164.185 80 TCP United States
203.116.171.38 80 TCP Singapore
81.131.210.206 80 TCP United Kingdom
144.69.59.80 80 TCP United States
108.132.28.175 80 TCP United States
54.173.72.227 80 TCP United States
48.227.99.193 80 TCP United States
165.244.29.101 80 TCP Korea Republic of
61.163.159.70 80 TCP China
141.54.70.120 80 TCP Germany
22.6.129.165 80 TCP United States
16.65.24.201 80 TCP United States
107.66.193.112 80 TCP United States
113.185.128.185 80 TCP Viet Nam
185.242.98.255 80 TCP Germany
39.247.94.231 80 TCP Indonesia
1.136.195.240 80 TCP Australia
176.2.178.107 443 TCP Germany
211.57.175.126 80 TCP Korea Republic of
16.78.184.90 80 TCP United States
121.237.58.132 80 TCP China
45.115.246.94 80 TCP China
42.213.207.250 80 TCP China
202.217.115.34 80 TCP Japan
20.100.36.35 80 TCP United States
73.178.96.229 80 TCP United States
177.85.76.19 80 TCP Brazil
184.148.22.247 80 TCP Canada
153.228.8.191 80 TCP Japan
196.226.207.67 443 TCP Liberia
171.178.119.233 80 TCP United States
175.198.60.5 80 TCP Korea Republic of
196.9.179.56 80 TCP South Africa
20.163.126.33 443 TCP United States
152.223.8.195 80 TCP United States
12.51.242.168 80 TCP United States
197.169.155.191 80 TCP South Africa
95.198.239.136 8080 TCP Sweden
209.93.5.164 80 TCP United States
200.17.48.177 80 TCP Brazil
37.147.149.212 80 TCP Russian Federation
113.201.208.234 80 TCP China
157.219.20.253 80 TCP United States
45.72.49.98 80 TCP United States
87.196.69.215 80 TCP Portugal
141.251.31.43 80 TCP United States
30.28.29.139 8080 TCP United States
211.72.127.114 80 TCP Taiwan; Republic of China (ROC)
126.62.177.152 8080 TCP Japan
67.62.93.143 80 TCP United States
4.219.11.148 80 TCP United States
220.15.135.111 80 TCP Japan
6.193.44.176 80 TCP United States
88.18.235.212 80 TCP Spain
65.235.102.3 80 TCP United States
212.246.252.248 80 TCP Finland
65.44.223.34 80 TCP United States
67.147.184.3 443 TCP United States
218.100.198.67 8080 TCP China
183.74.253.72 443 TCP Japan
189.99.113.170 443 TCP Brazil
202.113.235.65 80 TCP China
78.193.245.197 80 TCP France
20.87.185.21 443 TCP United States
34.94.156.167 80 TCP United States
16.154.131.128 443 TCP United States
112.236.139.20 80 TCP China
37.217.232.246 80 TCP Saudi Arabia

I have not had the change to check those individual IP addresses, but I recommend that you block the following two at least:

91.121.108.77
78.24.220.229 


UPDATE 26/10/15:

A slightly revised version of this is circulating:


Notice to Appear,

This is to inform you to appear in the Court on the November 03 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.

You can review complete details of the Court Notice in the attachment.

Yours faithfully,
Nathan Andrews,
District Clerk.
The attachment is Notice_to_Appear_000314661.zip which contains a file Notice_to_Appear_000314661.doc.js which has a VirusTotal detection rate of 14/55. According to this Hybrid Analysis report it contacts a LOT of IPs, but these in particular should be blocked:

67.199.5.184 (CrystalTech Web Hosting, US)
78.24.220.229 (TheFirst-RU, Russia)
189.131.94.156 (UniNet, Mexico)
74.10.19.66 (Knox Attorney Service Inc., US)


The following files are dropped (VT reports) [1] [2] [3]

Recommended blocklist:
67.199.5.184
78.24.220.229
189.131.94.156
74.10.19.66

  ssf

Malware spam: "Water Services Invoice" / "UUSCOTLAND@uuplc.co.uk" (again)

This fake invoice does not comes from United Utilities Scotland, but is instead a simple forgery with a malicious attachment. It is very similar to this spam sent a few days ago.

From     "UUSCOTLAND" [UUSCOTLAND@uuplc.co.uk]
Date     Thu, 22 Oct 2015 19:30:13 +0700
Subject     Water Services Invoice

Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of
22 September 2015 to 22 October 2015.

If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk.

Kind regards

Melissa

Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)
Melissa.lears@uuplc.co.uk
Unitedutilitiesscotland.com


EMGateway3.uuplc.co.uk made the following annotations
---------------------------------------------------------------------
The information contained in this e-mail is intended only
for the individual to whom it is addressed. It may contain
legally privileged or confidential information or otherwise
be exempt from disclosure. If you have received this Message
in error or there are any problems, please notify the sender
immediately and delete the message from your computer. You
must not use, disclose, copy or alter this message for any
unauthorised purpose. Neither United Utilities Group PLC nor
any of its subsidiaries will be liable for any direct, special,
indirect or consequential damages as a result of any virus being
passed on, or arising from the alteration of the contents of
this message by a third party.

United Utilities Group PLC, Haweswater House, Lingley Mere
Business Park, Lingley Green Avenue, Great Sankey,
Warrington, WA5 3LP
Registered in England and Wales. Registered No 6559020

www.unitedutilities.com
www.unitedutilities.com/subsidiaries
So far I have seen three different versions of the attachment, all named 22 October 2015 Invoice Summary.doc with detection rates of about between 4/55 and 7/55 at VirusTotal [1] [2] [3] containing one of these malicious macros [1] [2] [3].

Analysis of the documents is pending, but one key indicator is that the file appears to be saved as %TEMP%\bluezone3.exe. Check back later for updates.

UPDATE 1:
This VirusTotal report also identifies the following download locations:

beauty.maplewindows.co.uk/t67t868/nibrd65.exe
dtmscomputers.co.uk/t67t868/nibrd65.exe
namastetravel.co.uk/t67t868/nibrd65.exe 


This file has a VirusTotal detection rate of 2/54 and that report indicates network traffic to:

198.74.58.153 (Linode, US)

Further analysis is pending, in the meantime I suggest that you block traffic to the above IP.

MD5s:
782a72da42da3fe9bd9e652dd08b968a
5dad04118f9f26e1d5fcc457c52aeebb
6c7e84f91bd27b7252e0eccfb00b896d
7be71a7317add5bff876a9e5a04fcba1