Malware spam: "Request for payment (PGS/73329)" / "PGS Services Limited [rebecca@pgs-services.co.uk]"

This spam email is confused. It's either about a watch repair or property maintenance. In any case, it has a malicious attachment:

From: PGS Services Limited [rebecca@pgs-services.co.uk]
Date: 1 December 2015 at 12:06
Subject: Request for payment (PGS/73329)


Dear Customer,
We are contacting you because there is an invoice on your account that is overdue for payment and although we have contacted you already our system is still showing that the invoice remains unpaid.

RST Support Services Limited
Rotary Watches Ltd
2 Fouberts Place
London

W1F 7PA
Full details are attached to this email in DOC format.

Click here to make a payment

If there is any reason why payment should not be made or if you are experiencing difficulties with making the payment please get in touch so that we can discuss the matter and stop the recovery process.
Kind regards,
Rebecca Hughes
Customer services team
PGS Services | Expert Property Care
Direct dial: 0203 819 7054
Email: rebecca@pgs-services.co.uk
Visit our website: www.pgs-services.co.uk
10 quick questions - tell us what you think!
http://www.pgs-services.co.uk/feedback/

Attached is a file 3-6555-73329-1435806061-3.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]) and these Malwr reports [4] [5] [6] indicate that it downloads a malicious binary from the following locations:

rotulosvillarreal.com/~clientes/6543f/9o8jhdw.exe
cru3lblow.xf.cz/6543f/9o8jhdw.exe
data.axima.cz/~krejcir/6543f/9o8jhdw.exe

This binary has a detection rate of 2/55. According to this Malwr report and this Hybrid Analysis report, it phones home to some familiar and very bad IPs:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
157.252.245.29 (Trinity College Hatford, US)

The payload is probably the Dridex banking trojan.

MD5s:
6171b6272b724e8c19079b5b76bcc100
00312e3379db83bcf9008dd92dc72c2f
d1a401e07f3cab9488d41d509444309f
a4dcd843f545e02ce664157b61cb6191

Recommended blocklist:
94.73.155.8/29
89.32.145.12
221.132.35.56
157.252.245.29

Malware spam: "Card Receipt" / "Tracey Smith" [tracey.smith@aquaid.co.uk]

This fake financial spam does not come from AquAid, but is instead a simple forgery with a malicious attachment. Poor AquAid were hit by the same thing several time earlier this year.

From     "Tracey Smith" [tracey.smith@aquaid.co.uk]
Date     Tue, 01 Dec 2015 10:54:15 +0200
Subject     Card Receipt

Hi

Please find attached receipt of payment made to us today

Regards
Tracey
 
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone:        0121 525 4533
Fax:                  0121 525 3502
Mobile:              07795328895
Email:               tracey.smith@aquaid.co.uk

AquAid really is the only drinks supplier you will ever need with our huge
product range. With products ranging from bottled and mains fed coolers ranging up
to coffee machines and bespoke individual one off units we truly have the
right solution for all environments. We offer a refreshing ethical approach
to drinks supply in that we support both Christian Aid and Pump Aid with a
donation from all sales.  All this is done while still offering a highly
focused local service and competitive pricing. A personalised sponsorship
certificate is available for all clients showing how you are helping and we
offer £25 for any referral that leads to business.

*********************************************************************
AquAid Franchising Ltd is a company registered in England and Wales with
registered number 3505477 and registered office at 51 Newnham Road,
Cambridge, CB3 9EY, UK. This message is intended only for use by the named
addressee and may contain privileged and/or confidential information. If you
are not the named addressee you should not disseminate, copy or take any
action in reliance on it. If you have received this message in error please
notify the sender and delete the message and any attachments accompanying it
immediately. Neither AquAid nor any of its Affiliates accepts liability for
any corruption, interception, amendment, tampering or viruses occurring to
this message in transit or for any message sent by its employees which is
not in compliance with AquAid corporate policy.

Attached is a file CAR014 151238.doc which comes in at least two different versions with a VirusTotal detection rate of 3/55 for both [1] [2]. According to these Malwr reports [3] [4] the macro in the document downloads a file from one of the following locations:

rotulosvillarreal.com/~clientes/6543f/9o8jhdw.exe
data.axima.cz/~krejcir/6543f/9o8jhdw.exe

This binary has a detection rate of 3/54. The Malwr report for that file shows that it phones home to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)

There are other bad IPs in the 94.73.155.8 - 94.73.155.15 range, so I strongly recommend that you block all traffic to 94.73.155.8/29.

These two Hybrid Analysis reports [1] [2] also show malicious traffic to the following IPs:

89.248.99.231 (Interdominios S.A., Spain)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
221.132.35.56 (Post and Telecom Company, Vietnam)
78.24.14.20 (VSHosting s.r.o., Czech Republic)

The payload here is probably the Dridex banking trojan.

MD5s:
e590d72e4a7a26aefcf4aa2b438dbb64
42a897dcd53bd7a045282205281892e4
b815797e050e45e3be435d3ecf48bfb0

Recommended blocklist:
94.73.155.8/29
89.248.99.231
103.252.100.44
89.108.71.148
221.132.35.56
78.24.14.20

Malware spam: "Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD" / "orders@kidd-uk.com"

This fake financial spam is not from James F Kidd, but is instead a simple forgery with a malicious attachment:

From:    orders@kidd-uk.com
Date:    30 November 2015 at 13:42
Subject:    Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD

 Please see enclosed Sales Invoice for your attention.

 Regards from Accounts at James F Kidd
 ( email: accounts@kidd-uk.com )

I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55.

This Malwr report indicates that in this case there may be an error in the malicious macro [pastebin]. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan.

UPDATE

I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54 and 4/55. One of these two also produces an error when run.

The working attachment (according to this Malwr report and Hybrid Analysis report) downloads a malicious binary from:

bjdennehy.ie/~upload/89u87/454sd.exe

This has a VirusTotal detection rate of 3/54. Automated analysis tools [1] [2] [3] [4] show malicious traffic to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
91.223.9.70 (Elive Ltd, Ireland)
41.136.36.148 (Mauritius Telecom, Mauritius)
185.92.222.13 (Choopa LLC, Netherlands)
42.117.2.85 (FPT Telecom Company, Vietnam)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
37.128.132.96 (Memset Ltd, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
41.38.18.230 (TE Data, Egypt)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
122.151.73.216 (M2 Telecommunications Group Ltd, Australia)
185.87.51.41 (Marosnet Telecommunication Company LLC, Russia)
217.197.159.37 (NWT a.s., Czech Republic)
41.56.123.235 (Wireless Business Solutions, South Africa)
91.212.89.239 (Uzinfocom, Uzbekistan)

MD5s:
495d47eedde6566a12b74c652857887e
182db9fc18c5db0bfcb7dbe0cf61cae5
177948c68bc2d67218cde032cdaf1239
07c90e44adcf8b181b55d001cd495b7f

Recommended blocklist:
94.73.155.12
103.252.100.44
89.108.71.148
91.223.9.70
41.136.36.148
185.92.222.13
42.117.2.85
195.187.111.11
37.128.132.96
37.99.146.27
41.38.18.230
89.189.174.19
122.151.73.216
185.87.51.41
217.197.159.37
41.56.123.235
91.212.89.239

Malware spam: "INTUIT QB" / "QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]" leads to ransomware

This fake Intuit QuickBooks spam leads to malware:

From:    QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]
Date:    30 November 2015 at 10:42
Subject:    INTUIT QB


As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 

The spam is almost identical to this one which led to Nymaim ransomware.

In this particular spam, the email went to a landing page at updates.intuitdataserver-1.com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a fake Firefox update. 

This executable has a VirusTotal detection rate of 3/55, the MD5 is 592899e0eb3c06fb9fda59d03e4b5b53. The Hybrid Analysis report shows the malware attempting to POST to mlewipzrm.in which is multihomed on:

89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)

The nameservers for mlewipzrm.in are NS1.REBELLECLUB.NET and NS2.REBELLECLUB.NET which are hosted on the following IPs:

210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US)

These nameservers support the following malicious domains:

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The download location uses a pair of nameservers, NS1.MOMEDEFER.PW and NS1.PRIZEBROCK.PW. If we factor in the NS2 servers as well, we get a set of malicious IPs:

5.135.237.209 (OVH, France)
196.52.21.11 (LogicWeb, US / South Africa)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)

These nameservers support the following malicious domains:

browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com

As far as I can tell, these domains are hosted on the following IPs:

52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)

I recommend that you block the following IPs and/or domains:

52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212
mlewipzrm.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net
browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com
momedefer.pw
prizebrock.pw

Malware spam: "Message from mibser_00919013013"

I have only one sample of this rather terse email with no body text:

From:    scan@victimdomain
Reply-To:    scan@victimdomain
To:    hiett@victimdomain
Date:    30 November 2015 at 09:22
Subject:    Message from mibser_00919013013

The spam appears to originate from within the victim's own domain, but it does not. In the sample I saw, the attachment was named Smibser_00915110211090.xls, had a VirusTotal detection rate of 3/54 and contained this malicious macro [pastebin]. .

According to this Hybrid Analysis report and this Malwr report the macro downloads a malicious executable from:

velitolu.com/89u87/454sd.exe

This binary has a detection rate of 3/55. Automated report tools [1] [2] show network traffic to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
42.117.2.85 (FPT Telecom Company, Russia)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
5.63.88.100 (Centr, Kazakhstan)

The payload is likely to be the Dridex banking trojan:

MD5s:
1fac282d89e9af6fd548db2c71124c38
b77b2b6b80968b458e838d3a40e10551

Recommended blocklist:
94.73.155.12
42.117.2.85
89.189.174.19
5.63.88.100

Spam: "Integrated Petroleum Services" / "Transfer"

This malicious email sample was sent in by a contact (thank you), and contains a malicious attachment:

From: Integrated Petroleum Services
Sent: Friday, November 27, 2015 10:24 AM
Subject: Transfer

Hello,

Please find attached the transfer order sent on Friday 27.

Best Regards
Hugo

Attached is a file 20151126-291-transfer.xls (VT 1/53) containing this malicious macro [pastebin] which (according to this Malwr report) downloads from:

pathenryiluminacion.i8.com/76f6d5/54sdfg7h8j.exe

This binary has a VirusTotal detection rate of 3/55. The payload is the same as found in this spam run.

Malware spam: "Invoice" / "Ivan Jarman [IJarman@sportsafeuk.com]"

This fake invoice does not come from Sportsafe UK Ltd but is instead a simple forgery with a malicious attachment.

From     Ivan Jarman [IJarman@sportsafeuk.com]
Date     Fri, 27 Nov 2015 17:21:27 +0530
Subject     Invoice

Sent 27 NOV 15 09:35

Sportsafe UK Ltd
Unit 2 Moorside
Eastgates
Colchester
Essex
CO1 2TJ

Telephone 01206 795265
Fax 01206 795284 

I have received several copies of the spam with the same attachment named S-INV-BROOKSTRO1-476006.doc with a VirusTotal detection rate of 1/54 and which contains this malicious macro [pastebin].

This Malwr report shows the macro downloads from:

kidsmatter2us.org/~parentsm/76f6d5/54sdfg7h8j.exe

The executable has a detection rate of 3/55. The Hybrid Analysis report shows network traffic to:

198.57.243.108 (Unified Layer, US)
94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
77.221.140.99 (ZAO National Communications / Infobox.ru, Russia)
37.128.132.96 (Memset, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
217.160.110.232 (1&1, Germany)
202.137.31.219 (Linknet, Indonesia)
91.212.89.239 (Uzinfocom, Uzbekistan)

The payload is probably the Dridex banking trojan.

MD5s:
6e5654da58c03df6808466f0197207ed
b7bb1381da652290534605e5254361bd

Recommended blocklist:
198.57.243.108
94.73.155.8/29
77.221.140.99
37.128.132.96
37.99.146.27
217.160.110.232
202.137.31.219
91.212.89.239

Random "Payment" spam leads to Dridex

I have only seen one version of this spam message so far:

From:    Basia Slater [provequipmex@provequip.com.mx]
Date:    26 November 2015 at 12:00
Subject:    GVH Payment

I hope you had a good weekend.
Please check the payment confirmation attached to this email. The Transaction should appear on your bank in 2 days.


Basia Slater
Accountant
Comerica Incorporated

This sample had a document name of I654WWFR3C6.doc which has a VirusTotal detection rate of 6/55, containing this malicious macro [pastebin]. The Malwr report for this version indicates a download from:

harbourviewnl.ca/jo.jpg?6625

According to that Malwr report, it drops a file YSpq2bkGVIi5yaPcv6667.exe (MD5 6c14578c2b77b1917b3dee9da6efcd56) which has a detection rate of 1/53. The Hybrid Analysis report and Malwr report for that indicates malicious traffic to:

94.73.155.10 (Telekomunikasyon Anonim Sirketi, Turkey)
199.175.55.116 (VPS Cheap INC, US)

Note that 94.73.155.12 is mentioned in this other Dridex report today, both IPs form part of a small subnet of  94.73.155.8/29 suballocated to one "Geray Timur Akkurt".

My contacts (you know who you are, thank you) indicate that the emails are generated according to the following pattern:

> From: (random)
> Subject: ABC Transaction
- raw Subject: =?UTF-8?Q?ABC__Transaction?=
- matching /[A-Z]{1,3} (Invoice|Payment|Transaction|Transfer)/
> X-mailer: Thunderbird 9.23
- matching /[1-9]\.[1-9]{2}/
Attachment: "Z98Y76.doc"
- matching /[A-Z0-9]{4,14}\.doc/

They indicate an additional download location of:

gofishretail.com/jo.jpg?[4-digit-random-number]

with an additional C2 location of:

113.30.152.170 (Net4india , India)

Recommended blocklist:
94.73.155.8/29
199.175.55.116
113.30.152.170

Malware spam: "Invoice Document SI528880" / "Lucie Newlove [lucie@hiderfoods.co.uk]"

This fake invoice does not come from Hider Food Imports Ltd but is instead a simple forgery with a malicious attachment.

From     Lucie Newlove [lucie@hiderfoods.co.uk]
Date     Thu, 26 Nov 2015 16:03:04 +0500
Subject     Invoice Document SI528880

Please see attached Invoice Document SI528880 from HIDER FOOD IMPORTS LTD.

ARE YOU AWARE THAT OUR NEW WEBSITE IS NOW AVAILABLE?
Please contact our Sales Department for details.

Hider Food Imports Ltd

REGISTERED HEAD OFFICE
Wiltshire Road,
Hull
East Yorkshire
HU4 6PA

Registered in England  Number : 842813

Main Tel: +44 (0)1482 561137
Sales Tel :+44 (0)1482 504333
Fax: +44 (0)1482 565668

E-Mail: mail@hiderfoods.co.uk
Website: http://www.hiderfoods.co.uk

DISCLAIMER: This e-mail and any attachments are private and confidential and are
intended solely for the use of the intended recipient(s).  If you are not the intended
recipient, you must not use, disclose, distribute, copy, print, or rely on this e-mail.
If you have received this e-mail in error, please advise the sender by return e-mail
immediately and delete all copies of this message and any attachments from your systems.
All prices quoted are subject to final confirmation. This e-mail and any other arrangements
between us will be subject to our terms and conditions of business, a copy of which
can be found at our website or available upon request.

ANTIVIRUS: Hider Food Imports Ltd regularly update and utilise current anti-virus
products.  Hider Food Imports Ltd however accept no liability for any damage which
may be caused by any virus transmitted by this e-mail or any attachments.  Recipients
should check this e-mail is free of Viruses.

The attached file is SI528880.xls of which I have seen just one sample with a VirusTotal detection rate of 2/54, and it contains this malicious macro [pastebin] which according to this Hybrid Analysis report downloads a malicious component from:

naceste2.czechian.net/76t89/32898u.exe

This executable has a detection rate of just 1/54 and automated analysis [1] [2] [3] [4] [5] shows network traffic to the following IPs:

94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
8.253.44.158 (Level 3, US)
37.128.132.96 (Memset, UK)
91.212.89.239 (Uzinfocom, Uzbekistan)
185.87.51.41 (Marosnet, Russia)
42.117.2.85 (FPT Telecom Company, Vietnam)
192.130.75.146 (Jyvaskylan Yliopisto, Finland)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
5.63.88.100 (Centr, Kazahkstan)

The payload is probably the Dridex banking trojan.

MD5s:
b8d83b04a06b6853ad3e79a977dd17af
43a1211146a1938cd4de5d46c68124eb

Recommended blocklist:
94.73.155.12
8.253.44.158
37.128.132.96
91.212.89.239
185.87.51.41
42.117.2.85
192.130.75.146
195.187.111.11
5.63.88.100

NOTE
I accidentally included 191.234.4.50 in a previous version of the blocklist. This IP is for Windows Update (I deleted it from the first list, not the second one!). If you have blocked this IP then I recommend that you unblock it.

Malware spam: Serafini_Billing_Statement 2003 / Statement.zip leads to Cryptowall

This fake financial spam leads to ransomware:

From:    Scrimpsher [mumao82462308wd@163.com]
Date:    24 November 2015 at 16:57
Subject:    Serafini_Billing_Statement 2003
Signed by:    163.com

Hi Please see attached a copy of your statement for the month of Nov 2015
Sincerely
Lynda Ang

As with many recent ransomware attacks, this appears to have been sent through webmail (it really is from 163.com, it is not being spoofed). Attached is a file Statement.zip which contains a malicious javascript statement.js [pastebin] [VT 7/53]  which then downloads a component from:

46.30.45.73/mert.exe

That IP belongs to Eurobyte LLC in Russia. I recommend that you block it.

This is saved as %TEMP%\122487254.exe and it has a VirusTotal detection rate of 5/55 and an MD5 of 68940329224ab93ce4b688df33a9274f. The application's icon and metadata is designed to make it look like a copy of VNC, but instead the VirusTotal detection indicates that it is Cryptowall. This Hybrid Analysis report demonstrates the ransomware in action most clearly.

One unusual characteristic is that it POSTs to a lot of webservers (also listed in these reports [1] [2] [3]) although I don't know how significant it is. Almost all the domain names being with "A":

81moxing.com
acid909.co.uk
alaska-ushuaia-ecotrip.cashew.fr
alettewinckler.com
allaboutt.co.nz
allegrostudio.ca
allergitejp.se
allsystemsrepair.com
allwinmusic.com
a-louise.com
alper.ro
alsaauto.com
alterweb.com.ua
amirhosseinnouri.com
anellovaffa.it
apinside.it
applemuseum.us
appmedia.se
arcgraphics.co.uk
armekonomi.se
armenia.e5p.eu
aroapulsa.com
aromasupply.nl
arot.altervista.org
asc-architect.com
a-s-g.fr
asiatiquegay.fr
atlanticinsulationservices.co.uk
audicarti.com
autohes.cz
autooutfitters.biz
autoservice-piehler.de
aviatorek.pl
b-52mebli.com.ua

Malware spam: FEDERAL RESERVE BANK

This spam does not come from the Federal Reserve Bank, but is instead a simple forgery with a malicious attachment:

From     "FDIC, Federal Reserve Bank"
Date     Tue, 24 Nov 2015 15:14:19 +0200
Subject     IMPORTANT!

FEDERAL RESERVE BANK

Important:
You are getting this letter in connection with new directive No. 172390635 issued
by U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance Corporation
(FDIC). The directive concerns U.S. Federal Wire and ACH online payments.

We regret to inform you that from 11/24/2015 till 11/27/2015 definite restrictions
will be applied to all Federal Wire and ACH online transactions.

It's essential to know all the restrictions and the list of affected institutions.
The process of working with online transactions is mostly very tense, so it's possible
to overlook the applied restrictions, that may be very important for you.

More detailed information regarding the affected institutions and U.S. Treasury Department
restrictions is contained in the attached document.

Federal Reserve Bank System Administration

Alternative headers:

From    U.S. FRBank [admin@frb.com]
Date    24 November 2015 at 12:59
Subject    Attention!FED Wire and ACH Restrictions Applied!

From     FEDERAL RESERVE BANK [admin@usfrb.com]
Date     Tue, 24 Nov 2015 21:33:45 +0300
Subject     FED Wire and ACH Restrictions. IMPORTANT!

From     "USA FEDERAL RESERVE BANK" [security@frbservices.com]
Date     Tue, 24 Nov 2015 10:59:40 -0500
Subject     U.S. Treasury Department. FED Wire and ACH Restrictions Applied.

 Attached is an Excel file made up of part of the recipient's domain name plus a random number. So far I have seen two samples of this (VirusTotal [1] [2]) the latter of which is corrupt. The woirking one contains a macro that looks like this.

According to this Malwr report, the macro respectively POSTs and GETs from the following URLs:

rmansys.ru/utils/inet_id_notify.php
s01.yapfiles.ru/files/1323961/435323.jpg

Also, network communication is made with two other IPs, giving the following potentially malicious hosts:

185.26.97.120 (First Colo / Fornex, Germany)
90.156.241.111 (Masterhost, Russia)
89.108.101.61 (Agava Ltd, Russia)
95.27.132.170 (Beeline Broadband, Russia)

That .JPG file is actually an executable with a detection rate of 5/55. The Hybrid Analysis report shows all sorts of interesting things going on, but no clue as to what the purpose of the malware actually is. Those reports and this Malwr report shows some additional traffic:

217.197.126.52 (e-Style ISP, Russia)
88.147.168.112 (Volgatelecom, Russia)

According to this Malwr report it drops all sorts of files including _iscrypt.dll [VT 0/54] and 2.exe [VT 2/54] which is analysed in this Malwr report and this Hybrid Analysis report. It is unclear as to what it does (ransomware? remote access trojan?), but it appears that the installation may be password protected.

MD5s:
dfe5c17d74d5827df48395561ff2df58
132e53dcc20c8c2ebbec669d2764c182
832d9cc537e52e220a58a0f47069a315

Recommended blocklist:
185.26.97.120
90.156.241.111
89.108.101.61
95.27.132.170
217.197.126.52
88.147.168.112
217.19.105.3

UPDATE

This Hybrid Analysis report shows various web pages popping up from the Excel spreadsheet, including MSN and Lidl. The purpose of this is unknown.

Malware spam: "Abcam Despatch [CCE5303255]" / orders@abcam.com

I don't have the body text to this particular message, but it is not actually from Abcam. Instead it is a simple forgery with a malicious attachment.

From     orders@abcam.com
Date     Tue, 24 Nov 2015 13:48:14 +0300
Subject     Abcam Despatch [CCE5303255]

The attachment name is invoice_1366976_08-01-13.xls and it comes in at least two versions (VirusTotal [1] [2]) containing a malicious macro like this [pastebin] which downloads from the following locations (there may be more):

biennalecasablanca.ma/7745gd/4dgrgdg.exe
villmarkshest.no/7745gd/4dgrgdg.exe

This binary has a detection rate of 2/55 and phones home to the following IPs (according to this):

157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)

MD5s:
00ac8683e56102928e825f8d71b15473
2e22d61bed8c1aafaef7700c5b1f26c2
87f0a43f81efa9fb3ff26b83ec831248

Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12

Malware spam: "Scan as requested" / "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]

This fake document scan does not come from New Hope Specialist Care but is instead a simple forgery with a malicious attachment:

From     "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]
Date     Tue, 24 Nov 2015 07:11:00 -0300
Subject     Scan as requested

Regards


Paulette Riley

Administrator

New Hope Specialist Care Ltd
126 Brook Road
Oldbury
West Midlands
B68 8AE

tel: 0121 552 1055
mobile: 07811 486 270
fax: 0121 544 7104


* PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL *


This is an email from New Hope Specialst Care Ltd. The information contained
within this message is intended for the addressee only and may contain
confidential and/or privilege information. If you are not the intended
recipient you may not peruse, use, disseminate, distribute or copy this
message. If you have received this message in error please notify the sender
immediately by email or telephone and either return or destroy the original
message. New Hope Specialsit Care Ltd accept no responsibility for any
changes made to this message after it has been sent by the original author.
The views contained herein do not necessarily represent the views of New
Hope Specialist Care Ltd This email or any of its attachments may contain
data that falls within the scope of the Data Protection Acts. You must
ensure that handling or processing of such data by you is fully compliant
with the terms and provisions of the Data Protection Act 1984 and 1988

---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com

Attached is a file 20151009144829748.doc of which I have seen two versions (VirusTotal results [1] [2]) and which contain a macro like this [pastebin].

Analysis of these documents is pending, but the payload is likely to be the Dridex banking trojan.

Frustratingly, it looks like the web host has suspended newhopecare.co.uk which is not helpful in these circustances, as it stops the victim company from posting a warning.

UPDATE

These two Hybrid Analysis reports [1] [2] show a download from the following locations:

www.costa-rica-hoteles-viajes.com/~web/7745gd/4dgrgdg.exe
janaduchanova.wz.cz/7745gd/4dgrgdg.exe

This has a VirusTotal detection rate of 4/55. That VT analysis and this Malwr analysis and these two Hybrid Analysis reports [1] [2] show network traffic to:

157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
88.86.117.153 (SuperNetwork, Czech Republic)

MD5s:
06c1c0a6d5482b93737f9ce250161b82
3368d7d4f48d291ee0f4ae7c81dd73a6
15fcf405b726379c6efabc89d6e0ceac

Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12
88.86.117.153

Malware spam: "UKMail 988271023 tracking information" / no-reply@ukmail.com

NOTE:  as of 22nd January 2016, a new version of this spam email is in circulation, described here.

This fake delivery email does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    no-reply@ukmail.com
Date:    23 November 2015 at 11:06
Subject:    UKMail 988271023 tracking information

UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

The attachment is named 988271023-PRCL.doc and so far I have come across three different versions of this (VirusTotal results [1] [2] [3]), containing a malicious macro like this [pastebin] which according to these Hybrid Analysis reports [4] [5] [6] downloads a malware binary from the following locations:

www.capodorlandoweb.it/u654g/76j5h4g.exe
xsnoiseccs.bigpondhosting.com/u654g/76j5h4g.exe
cr9090worldrecord.wz.cz/u654g/76j5h4g.exe

This binary has a VirusTotal detection rate of 5/54. That VirusTotal report plus this Hybrid Analysis report and Malwr report indicate malicious traffic to the following IPs:

157.252.245.32 (Trinity College Hartford, US)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
89.108.71.148 (Agava Ltd, Russia)
91.212.89.239 (UZINFOCOM, Uzbekistan)
89.189.174.19 (Sibirskie Seti, Russia)
122.151.73.216 (M2 Telecommunications, Australia)
37.128.132.96 (Memset Ltd, UK)
195.187.111.11 (SGGW, Poland)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
77.221.140.99 (Infobox.ru, Russia)
195.251.145.79 (University Of The Aegean, Greece)

The payload is likely to be the Dridex banking trojan.

MD5s:
37f025e70ee90e40589e7a3fd763817c
3e25ba0c709f1b9e399e228d302dd732
e6f1003e4572691493ab1845cb983417
5b6c01ea40acfb7dff4337710cf0a56c

Recommended blocklist:
157.252.245.32
89.32.145.12
89.108.71.148
91.212.89.239
89.189.174.19
122.151.73.216
37.128.132.96
195.187.111.11
37.99.146.27
77.221.140.99
195.251.145.79

Malware spam: "Employee Documents – Internal Use" / Employee Documents(1928).xls

This spam appears to come from the "HR@" email address in the potential victim's own domain, but it is instead a simple forgery with a malicious attachment.

From: HR@victimdomain
To: victim@victimdomain
Subject: Employee Documents – Internal Use
Date: Mon, 23 Nov 2015 16:23:41 +0530

Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: Quoted-Printable

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: [Link removed]

Attached is a file Employee Documents(1928).xls although I have had some difficulty acquiring a copy. However, my sources tell me that there are three different versions downloading from the following locations:

kunie.it/u654g/76j5h4g.exe
oraveo.com/u654g/76j5h4g.exe
www.t-tosen.com/u654g/76j5h4g.exe

The downloaded binary has a detection rate of just 1/54. That VirusTotal report and this Hybrid Analysis report show network connections to the following IPs:

89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
157.252.245.32 (Trinity College Hartford, US)

The payload is probably the Dridex banking trojan.

MD5s:
127f12a789c145ed05be36961376999e
c57bc09009a925a02fde6a6b58f988b3
bb62d7bc330a2e2452f773500428574c
a178d8d94238977b0c367dc761d9c7de

Recommended blocklist:
89.108.71.148
89.32.145.12
157.252.245.32

Malware spam: "Reprint Document archive" / "tracey.beedles@eurocarparts.com"

This fake financial spam does not come from Euro Car Parts but is instead a simple forgery with a malicious attachment.

From     tracey.beedles@eurocarparts.com
Date     Fri, 20 Nov 2015 18:49:06 +0700
Subject     Reprint Document archive

Attached is a Print Manager form.
Format = Word Document Format File (DOC)

The attachment is named pmB3A6.doc and it comes in at least four different versions (VirusTotal results [1] [2] [3] [4]) and it contains a malicious macro like this [pastebin] which according to these Hybrid Analysis results [5] [6] [7] [8] downloads a malicious binary from one of the three following locations:

pr-clanky.kvalitne.cz/65y3fd23d/87i4g3d2d2.exe
buzmenajerlik.com.tr/65y3fd23d/87i4g3d2d2.exe
irisbordados.com/65y3fd23d/87i4g3d2d2.exe

This executable has a detection rate of 4/52 and according to that VT report and this Malwr report there is network traffic to:

157.252.245.32 (Trinity College Hartford, US)
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)

Interesting, if you look at the Hybrid Analysis report and others, the executable masquerades as mbar.exe / Malwarebytes Anti-Rootkit. The payload is most likely to be the Dridex banking trojan.

Recommended blocklist:
157.252.245.32
89.32.145.12

MD5s:
ee5be0095669fb4456d2643359a174be
236244800e8f00d98a30d7d073ca3b41
e5413387decf22d3dfe3c899e43e6c25
e23b22e8bf2c97dbadd4eaa1e4e6fa21
4bd1b0bcc9bbf1889ccbd0ca0f82d5b5

Malware spam: "Jean Pierre Kibung" / "0150363108788101_02416060_1.xls"

This spam looks like an advanced free fraud, but instead it comes with a malicious attachment. The email appears to originate from within the victim's own domain, but this is a simple forgery and does not mean that you have been hacked.

From:    Jean Pierre Kibungu [jpie.kibungu@victimdomain]
Date:    20 November 2015 at 09:56
Subject:    0150363108788101_02416060_1.xls

Please find attached the swift of the transfer of $30000.

Kind regards
Jean Pierre Kibungu

INCAT


JEAN PIERRE KIBUNGU AVAR-DA-VISI
GENERAL MANAGER
INCAT OILFIELD LOGISTICS (DRC) LTD
Site:
Mob: + 243 998 01 95 01
Headoffice:
Tel.  +44(0) 1534 758859
Fax: +44(0) 1534 758834

The telephone number does match that of a genuine company in Jersey, but they are not sending this spam. The attachment is named 0150363108788101_02416060_1.xls and so far I have seen just one version of this with a VirusTotal detection rate of 4/53. It contains this malicious macro [pastebin].

Analysis of the spreadsheet is pending, but the payload is almost definitely the Dridex banking trojan.

UPDATE

Sources tell me there are at least two variants with download locations of:

betterimpressions.com/~impressions/65y3fd23d/87i4g3d2d2.exe
192.186.227.64/~irma1026/65y3fd23d/87i4g3d2d2.exe

This has an MD5 of d410a45dc4710ea0d383dee81fbbcb6f and a VirusTotal detection rate of 4/52. According to that VirusTotal report and this Malwr report, it makes a network connection to:

157.252.245.32 (Trinity College, US)

I strongly recommend that you block traffic to that IP.

Malware spam: "Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]" / "support@postcodeanywhere.com"

This spam is not from postcodeanywhere.com but is instead a simple forgery with a malicious attachment. Unfortunately, I don't have the body text of the message, the hreaders are:

From     support@postcodeanywhere.com
Date     Thu, 19 Nov 2015 16:20:40 +0300
Subject     Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]

The attachment is EDMUN11118_181859.xls which comes in two different versions (VirusTotal results [1] [2]) which according to these Hybrid Analysis reports [3] [4] download a file from one of the following locations:

iwcleaner.co.uk/8i65h4g53/o97i76u54.exe
lapelsbadges.com//8i65h4g53/o97i76u54.exe [file not found]

This has a VirusTotal detection rate of 1/54 and that VirusTotal report indicates it phoning home to:

182.93.220.146 (Ministry Of Education, Thailand)

I strongly recommend that you block that IP address. The payload is the Dridex banking trojan.

MD5s
8e22032e0b5d338ef078f5aaf302fa4c
63e22e87b78f6f82d437c7b622a84945
8aba2ca4fd785759ad2ad262d9c62d2f

Malware spam: "Your Google invoice is ready" / "billing-noreply@google.com"

This fake invoice does not come from Google, but is instead a simple forgery with a malicious attachment:

From:    billing-noreply@google.com
Date:    19 November 2015 at 12:40
Subject:    Your Google invoice is ready

Attached to this email, please find the following invoice:

Invoice number: 1630884720
Due date: 19-Nov-2015
Billing ID: 34979743806


Please follow instructions on the invoice for remitting payment. If you have questions, please contact collections-uk@google.com.

Yours Sincerely,
The Google Billing Team


--------------------------
Billing ID: 0349-7974-3806

The attachment is named 1630884720.doc which comes in at least two versions (VirusTotal analysis [1] [2]) and which contains a malicious macro like this [pastebin]).

Analysis of the documents is still pending (please check back), although the payload is almost definitely the Dridex banking trojan.

UPDATE

The Hybrid Analysis of the two documents [1] [2] shows attempted downloads from the following locations:

bhoomiconsultants.com/8i65h4g53/o97i76u54.exe [active]
bhairavraffia.com/8i65h4g53/o97i76u54.exe [file not found]

This binary has a detection rate of 1/54 and those reports indicate malicious network traffic to the familiar IP address of:


182.93.220.146 (Ministry of Education, Thailand)

I strongly recommend that you block traffic to that IP.

Malware spam: "[Shipping notification] N3043597 (PB UK)" / "noreply@cevalogistics.com"

This rather terse spam does not come from Ceva Logistics but is instead a simple forgery with a malicious attachment.

From:    noreply@cevalogistics.com
Date:    19 November 2015 at 10:27
Subject:    [Shipping notification] N3043597 (PB UK)

There is no body text and the "N" number is randomly generated. All samples I have seen contain a file called shipping-notification.xls which is in the same in all cases, containing this malicious macro [pastebin] and it has a VirusTotal detection rate of 2/54. The comments on that VirusTotal report plus this Hybrid Analysis report indicate a malicious binary is downloaded from:

iwcleaner.co.uk/8i65h4g53/o97i76u54.exe

This has an MD5 of e0d24cac5fb16c737f5f016e54292388 and a detection rate of 2/54 and this Hybrid Analysis report shows malicious traffic to the following IP (which I recommend you block):

182.93.220.146 (Ministry of Education, Thailand)


The payload is almost definitely the Dridex banking trojan.

Mystery "INTUIT QuickBooks" spam leads to unknown malware

This fake Intuit spam leads to malware:

From:    QuickBooks [qbsupport@services.intuit.com]
Date:    18 November 2015 at 14:34
Subject:    INTUIT QuickBooks                                                                                           
QuIckBooks.

As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 

The link in the email goes to:

kompuser.com/system/logs/update/doc.php?r=download&id=INTUIT-Browser-up1247.zip

This downloads a file INTUIT-Browser-up1247.zip which in turn contains a malicious executable up1247.exe (MD5 563a1f54b9d90965951db0d469ecea6d) which has a VirusTotal detection rate of 2/54. That VirusTotal report and this Hybrid Analysis report show that the malware POSTs data to:

onbrk.in/p7yqpgzemv/index.php

The Malwr report is inconclusive. The payload is unknown, however all of the following domains share the same nameservers and have also been used for malicious activity going back to August.

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The malicious .in domain is hosted on the following IPs:

31.210.116.68 (Veri Merkezi Hizmetleri A.s., Turkey)
188.247.102.215 (DataGroup Dnepr, Ukraine)
89.163.249.75 (myLoc managed IT AG, Germany)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)

Recommended blocklist:
31.210.116.68
188.247.102.215
89.163.249.75
95.173.164.212
kompuser.com
onbrk.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

UPDATE:
This entry at MalwareURL links the namesevers to the Nymaim ransomware.

Malware spam: "Receipt" / "Mike" [mike@xencourier.co.uk]

This fake financial spam does not come from Xen Courier but is instead a simple forgery with a malicous attachment:

From     "Mike " [mike@xencourier.co.uk]
Date     Wed, 18 Nov 2015 14:46:28 +0200
Subject     Receipt

Hi

Here is your credit card receipt attached. VAT invoice to follw in due
course.

Best regards

Mike

---
This email is free from viruses and malware because avast! Antivirus protection is
active.
http://www.avast.com

Despite the disclaimer, this is in no way free of viruses. Instead, it has a malicious attachment scan0001.xls which appears to come in at least three different versions with the following MD5s:

b8f5c889658cac07e810998aaa582d76
798c8a2a2d2fb658d4cea1fd60aff6b9
4592d152fcd1c3ea128b7b9e7224bf69

These contain a malicious macro that looks like this [pastebin] and the documents themselves have a VirusTotal detection rate of around 10/55 [1] [2] [3] and which according to these Hybrid Analysis reports [4] [5] [6] they attempt to download a malicious binary from the following locations:

www.eurocontainers.it/h64gf3/89j6cx.exe
www.asnp.it/h64gf3/89j6cx.exe
www.samsoncontrols.co.uk/h64gf3/89j6cx.exe [file not found]

This binary has a detection rate of 7/54 and that VirusTotal report and this Malwr report both indication malicious network traffic to:

203.172.180.195 (Ministry Of Education, Thailand)

That binary has the MD5 of:

6581b83c82ef4a2d940976a47550fb2c

 The payload is likely to be the Dridex banking trojan.

Malware spam: "DoT Payment Receipt" / "donotreply@transport.gov.uk"

This fake financial spam has a malicious attachment:

From: donotreply@transport.gov.uk [mailto:donotreply@transport.gov.uk]
Sent: Monday, November 16, 2015 12:10 PM
To: redacted
Subject: DoT Payment Receipt

[Automated message. Do not reply]

Thank you for your payment.  It is important that you print this receipt and record the receipt number as proof of your payment. You may be asked to provide your receipt details should you have an enquiry regarding this payment.

DISCLAIMER

This email and any attachments are confidential and may contain legally privileged and/or copyright material.  You should not read, copy, use or disclose any of the information contained in this email without authorisation.  If you have received it in error please contact us at once by return email and then delete both emails.  There is no warranty that this email is error or virus free.

I haven't seen this myself, but some contacts (thank you!) have. Attached is a file PaymentReceipt.xls which comes in several different versions, the sample I saw contained this malicious macro and had a VirusTotal detection rate of 5/54. According to my sources, the different versions download a malicious binary from one of the following:

gospi.eu/~gospi/45yfqfwg/6ugesgsg.exe
piotrektest.cba.pl/45yfqfwg/6ugesgsg.exe
wmdrewniana8.cba.pl/45yfqfwg/6ugesgsg.exe
www.kolumbus.fi/~kf0963/45yfqfwg/6ugesgsg.exe

This binary has a detection rate of 3/53 and that VirusTotal report and this Malwr report indicates malicious traffic to:

182.93.220.146 (Ministry Of Education, Thailand)
78.47.66.169 (Hetzner, Germany)
89.108.71.148 (Agava, Ltd)
221.132.35.56 (Post And Telecom Company, Vietnam)

The payload is the Dridex banking trojan.

MD5s:

e25a05d3fecceb14667048c07494d65f 
32f3495cb945448a9868c5fe653b8d7e
a5dd075bd48d16a3ad13c06651b0af10
ef3805be4797271a2a9c8552f77866c1
f2b78be5e8b52976f69b076338757146

Recommended blocklist:
cba.pl
182.93.220.146
78.47.66.169
89.108.71.148
221.132.35.56

Malware spam: "FYI: INTERAC e-Transfer to Guillaume Davis accepted" / "Bank of Montreal [notify@payments.interac.ca]"

This fake financial spam leads to malware:

From:    Bank of Montreal [notify@payments.interac.ca]
Date:    30 September 2015 at 13:34
Subject:    FYI: INTERAC e-Transfer to Guillaume Davis accepted

Dear Customer

The INTERAC e-Transfer for $2997.60 (CAD) you sent to Guillaume Davis was accepted. The transfer is now complete.

Recipient's message:  A message was not provided

Thank you for using Bank of Montreal INTERAC e-Transfer Service.

Please follow the link below to download the transaction details:

https://storage-usw-11.sharefile.com/download.ashx?dt=dt7c26b2a7994b4070a947e9cd285718bb&h=u4fdqSy4IS59j0nzAr6RzZtYbrne3JpDFwd4YfEKKM0%3d

The link in the email downloads a file INTERAC e-Transfer transaction details.doc which has a VirusTotal detection rate of just 1/53. Analysis of the malicious code within the downloaded document is pending, however the use of sharefile.com is consistent with the delivery of the Dyre banking trojan.