Sponsored by..

Friday, 7 November 2014

No, I do not want to go to your spammy disco

I've seen some odd spam in the past. I've never been spammed by an Essex disco operator before:

From:     ronnie-s-dj Professional Entertainment [info@ronnie-s-dj.co.uk]
Date:     7 November 2014 06:24
Subject:     Christmas New Year 2014! Disco & Karaoke Party Time

The spamvertised domains are karaoke-dj.co.uk and ronnie-s-dj.co.uk and the same owner also operates ronwindsor.co.uk. I'll spare him the embarrassment of listing his address.

I assume that Ron bought a cheap mailing list in good faith without realising that it was worthless, and then proceeded to spam out from his BT IP of 109.154.39.151 via Outlook.com with abandon. Unfortunately, this sort of thing gets both your web hosting suspended and internet access revoked.

Hopefully Ron has a better idea of how to run a disco than how he promotes his business. But I don't fancy a trip down to Essex to find out.

europejobdays.com and other fake job sites to avoid 7/11/14

This tip from @peterkruse about a spam run pushing fake jobs using the domain europejobdays.com caught my eye, especially the mention of the nameservers using the stemcellcounseling.net domain.

These fake job sites tend not to go alone, and a look a the other domains using  the same namesevers comes up with a whole list of related fake sites that you should also avoid:

europejobdays.com
bamfde.com
myjobuk.com
usajobid.com
jobsiniteu.com
mycareerau.com
trabajoses.com
infopracapl.com
itjobrapido.com
jobstreetmy.com
jobstreetus.com
myjobromania.com
trabajospain.com
profesiaczech.com
careersprocanada.com
subitoit.net
stemcellcounseling.net

You should be aware that the jobs on offer are actually part of some criminal enterprise such as money laundering or parcel reshipping. You can see a video that explains the parcel reshipping scam and the role of the parcel mule below.

Tuesday, 4 November 2014

DUCO "Remittance Advice November" spam

This fake remittance advice spam does pretends to come from a company called DUCO (it does not) and comes with a malicious Word document.

From:     Therese Holden
Date:     4 November 2014 13:59
Subject:     Remittance Advice November FO1864232P

Dear Sir/Madam

Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP

Regards,
Therese Holden
Accounts Payable Department DUCO
The attachment is a Word document with a randomly-generated filename that matches the subject of the email, it contains a malicious macro [pastebin] with a VirusTotal detection rate of 0/52 (you can see the Malwr report here, it doesn't say much). In this case the macro downloads a file from http://144.76.153.36:8080/doc/9.exe and saves it as %TEMP%\DCITXEKBIRG.exe, this is also poorly detected with a detection rate of just 3/52.

The Malwr report shows that the malware reaches out to the following URLs:

http://91.222.139.45/%26RNB2/hs3SILqWzl1%24x%20/rI9sI
http://213.140.115.29/9m0/xvgsH.jTg@/NsY/75/0b50
http://213.140.115.29/1u1mS$%3D=cVE%3DUPI%7EVe94/L&%3D%20yqWbqmNh$oP/
http://213.140.115.29/ktp6rp3vnx/x%7Egxlkki%20%2D56g%7E%20=&%3Fg%3Fx4j/r+~f6j%7Efwin%2Bcywc/%24yxvmo


It also drops a DLL on the system identified by VirusTotal as Cridex.

Recommended blocklist:
91.222.139.45
213.140.115.29
144.76.153.36

Monday, 3 November 2014

TM Group "A new invoice AB1234567C has been created for You" spam

This fake invoice is meant to come from a company called TM Group (but it doesn't). It comes with a malicious Word document attached.

From:     Taylor Slater
Date:     3 November 2014 09:32
Subject:     A new invoice FM0509816M has been created for You

Dear Client,

A new invoice, FM0509816M  has been created. Please find it attached.

Kind regards, Taylor Slater
TM Group
Helpdesk Billing

--------------------

From:     Winfred Chapman
Date:     3 November 2014 10:34
Subject:     A new invoice MP4729736L has been created for You

Dear Client,

A new invoice, MP4729736L  has been created. Please find it attached.

Kind regards, Winfred Chapman
TM Group
Helpdesk Billing

--------------------

From:     Lionel Lowery
Date:     3 November 2014 11:05
Subject:     A new invoice LB7236759Y has been created for You

Dear Client,

A new invoice, LB7236759Y  has been created. Please find it attached.

Kind regards, Lionel Lowery
TM Group
Helpdesk Billing
--------------------

From:     Trey Leonard
Date:     3 November 2014 11:05
Subject:     A new invoice LM839596Q has been created for You

Dear Client,

A new invoice, LM839596Q  has been created. Please find it attached.

Kind regards, Trey Leonard
TM Group
Helpdesk Billing
------------------
From:     Helga Wilkinson
Date:     3 November 2014 12:16
Subject:     A new invoice NT9263036Z has been created for You

Dear Client,

A new invoice, NT9263036Z  has been created. Please find it attached.

Kind regards, Helga Wilkinson
TM Group
Helpdesk Billing

------------------

From:     Carol Day
Date:     3 November 2014 11:44
Subject:     A new invoice DQ8914435K has been created for You

Dear Client,

A new invoice, DQ8914435K  has been created. Please find it attached.

Kind regards, Carol Day
TM Group
Helpdesk Billing

------------------

From:     Corey Graham
Date:     3 November 2014 11:42
Subject:     A new invoice TQ022815G has been created for You

Dear Client,

A new invoice, TQ022815G  has been created. Please find it attached.

Kind regards, Corey Graham
TM Group
Helpdesk Billing

------------------

From:     Josefina Deleon
Date:     3 November 2014 11:34
Subject:     A new invoice KZ561472B has been created for You

Dear Client,

A new invoice, KZ561472B  has been created. Please find it attached.

Kind regards, Josefina Deleon
TM Group
Helpdesk Billing

Attached is a Word document with the same filename as the supposed invoice number. So far I have seen three variations:
The macros download a further malicious file from one of the following locations:


http://149.62.168.210:8080/doc/8.exe
http://111.125.170.132:8080/doc/8.exe
http://121.78.88.208:8080/doc/8.exe


This binary has a detection rate of just 2/54. The Malwr report shows this binary reaches out to the following locations:

http://91.222.139.45/4gA6Cw%2CuZ%265%2B7/TvPKRfz@/tpm=MCPSixTbfs6%2B
http://213.140.115.29/gfffgwtmjg6_w+8j+$%26icb%3D_f2=%2Dj66/@c3qrn=b%7E%2C+1tg026.i%24w./x%2Dlq5e%2D
http://213.140.115.29/uziFUA/wE0ArLF~2K%2DuQjXh3ak/7IvEHrPuf
http://213.140.115.29/hIR%3D7nkeM%2CgV/%2C@fN0iWI/+arv9NF%24F


The malware also drops a malicious DLL with a VirusTotal detection rate of 9/54 which is identified as Cridex.

Recommended blocklist:
91.222.139.45
213.140.115.29
149.62.168.210
111.125.170.132
121.78.88.208

Friday, 31 October 2014

"Your Amazon.co.uk order has dispatched" spam has a malicious DOC attachment

This fake Amazon email comes with a malicious Word document attached:

From:     Amazon.co.uk [auto-shipping@amazon.co.uk]
Reply-To:     "auto-shipping@amazon.co.uk" [auto-shipping@amazon.co.uk]
Date:     31 October 2014 09:12
Subject:     Your Amazon.co.uk order has dispatched (#203-2083868-0173124)

Dear Customer,

Greetings from Amazon.co.uk,

We are writing to let you know that the following item has been sent using  Royal Mail.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account

Your order #203-2083868-0173124 (received October 30, 2014)


Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us.  O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at:  http://www.amazon.co.uk/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days, beginning with the day after the day on whi=
ch the item is delivered. This applies to all of our products. However, we =
regret that we cannot accept cancellations of contracts for the purchase of=
 video, DVD, audio, video games and software products where the item has be=
en unsealed. Please note that we are unable to accept cancellation of, or r=
eturns for, digital items once downloading has commenced. Otherwise, we can=
 accept returns of complete product, which is unused and in an "as new" con=
dition.

Our Returns Support Centre will guide you through our Returns Policy and, w=
here relevant, provide you with a printable personalised return label.  Ple=
ase go to http://www.amazon.co.uk/returns-support to use our Returns Suppor=
t Centre.

To cancel this contract, please pack the relevant item securely, attach you=
r personalised return label and send it to us with the delivery slip so tha=
t we receive it within 7 working days after the day of the date that the it=
em was delivered to you or, in the case of large items delivered by our spe=
cialist couriers, contact Amazon.co.uk customer services using the link bel=
ow within 7 working days after the date that the item was delivered to you =
to discuss the return.

https://www.amazon.co.uk/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend th=
at you use a recorded-delivery service. Please note that you will be respon=
sible for the costs of returning the goods to us unless we delivered the it=
em to you in error or the item is faulty. If we do not receive the item bac=
k from you, we may arrange for collection of the item from your residence a=
t your cost. You should be aware that, once we begin the delivery process, =
you will not be able to cancel any contract you have with us for services c=
arried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection i=
n the event that our specialist courier service collect a large item from y=
ou to return to us.

As soon as we receive notice of your cancellation of this order, we will re=
fund the relevant part of the purchase price for that item.=20

Should you have any questions, feel free to visit our online Help Desk at:=
=20
http://www.amazon.co.uk/help

If you've explored the above links but still need to get in touch with us, =
you will find more contact details at the online Help Desk.=20

Note: this e-mail was sent from a notification-only e-mail address that can=
not accept incoming e-mail. Please do not reply to this message.=20

Thank you for shopping at Amazon.co.uk

-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
-------------------------------------------------
The Word document contains a malicious macro [pastebin] but is currently undetected at VirusTotal (the Malwr report doesn't say much but is here).

The macro then downloads http://ctmail.me/1.exe and executes it. This malicious binary has a a detection rate of 4/52, and according to the Malwr report it contacts the following URLs:

http://84.40.9.34/Xl37yRuH5LS6Nqk/~yNk%2C2IO.1Jw9/wm@OF0fR%2BPvics%2CR8H/br~%262O%2Cu3k%3FI~i7%2D
http://213.143.97.18/wPfG2lK%24F/ET0~4%3De$4UsZiwg@/fJ_6E%24
http://213.143.97.18/iXxTuXI@6s1/NzJ%2CbsSmuQsl/n3
http://213.143.97.18/Yug4oQ83$~J%249BH/y93%266@@L3%3DL%26b88UmM/%24%24
http://213.143.97.18/Pizz.%2D%2CksZ@1&T/bYNr%2B9%2CK%2D1i%2BCGqLi%2Bw
http://213.143.97.18/vh/esx5rBQsLNKRJ%7E+$%2C_5KQk%2BeQpaGr/&4b0ERginAuG/zx$.G6K%3F
http://213.143.97.18/sxvxyZOihv%2C=@3v/%2BSb@9E9blzBnL7k0~TGg.OGq51%2BE5/&wru.x/%24


84.40.9.34 is Hostway in Belgium, 213.143.97.18 is Wien Energie, Austria. The malware also downloads a DLL as 2.tmp which has a detection rate of 3/54.

Recommended blocklist 1:
213.143.97.18
84.40.9.34
ctmail.me

UPDATE 1 - 2014-11-03

A very similar email is doing the rounds this morning with a different version of the attachment (called ORDER-203-2083868-0173124.doc) which has a VirusTotal detection rate of 0/54 and contains this malicious macro [pastebin]. This downloads a file from http://hilfecenter-harz.de/1.exe which also has zero detections at VirusTotal. According the the Malwr report this binary connects to the following URLs:

http://84.40.9.34/E8Zf43JY1/8/wXw4M%26H~J%7EQ5/./
http://37.139.23.200/NQwFPhXiqAw/i27%24Yz~M%2CS_/x$%2DKWssW9Yh/L3
http://37.139.23.200/jrsw4wgnsT4I2/p%3F%3FZ@BCiUhaO9FYoN~/JAkmQ+Z@1
http://37.139.23.200/unu0q1vzg3~tmww%3Fkp/ayf0u%24&l$%2Cqc%3F3@2+f.=hcf_c+vyqly%2Co.7/l%20nloj%7E%3F
http://37.139.23.200/RqCGVww2Sup3iH5rZ/h=abyF$sO%3DheysYSV/n5%3Fs/

It also downloads a malicious DLL which has a VirusTotal detection rate of 7/54 which identifies this as a version of Cridex.

Recommended blocklist 2:
84.40.9.34
37.139.23.200
hilfecenter-harz.de
garfield67.de

UPDATE 2  - 2014-11-03

A second version of the attachment is also being circulated, this time with a slightly different macro [pastebin] which downloads the same binary as before from http://garfield67.de/1.exe. I have updated blocklist 2.

UPDATE 3 - 2014-11-06

The spam has been updated with a new date and there are now three new malicious Word documents [1] [2] [3] [Malwr report] which contains one of two macros [1] [2] that download a malware binary from one of the two following locations:

http://castours.com/js/bin.exe
http://www.irming.hr/js/bin.exe


This file is saved as %TEMP%\LNZMTDCWLZX.exe and has a VirusTotal detection rate of 4/53. The Malwr report shows that it connects to:

http://84.40.9.34/NjTrZuSH2&rb/@&RT/aATv%2BqGe%2C

It also drops a DLL which has a VirusTotal detection rate of 8/53 which is identified as Cridex.

Thursday, 30 October 2014

"Further Reminder" spam has a malicious Word document attached

Another round of malicious Word documents today, this time with the subject "Further Reminder" from random senders. For example:

From:     Milan Roach
Date:     30 October 2014 11:35
Subject:     Further Reminder SN4215796

Good afternoon,

Please see attached statement sent to us, I have highlighted on this the payments made to you in full and attached a breakdown of each one for you to correctly allocate. Hope this helps.
Thanking you in advance.

Many Thanks & Kind Regards
Milan Roach

Senior Accounts Payable Clerk
Finance Department
Attached is a malicious Word document with the same name as the subject (e.g. CopySN4215796.doc). There are at least two different versions of this document [Version 1 VirusTotal / Malwr report, Version 2 VirusTotal / Malwr report]. If macros are enabled on the target machine then a malicious macro [pastebin] runs and downloads a futher component from one of the two following locations (there may be more):

http://81.7.3.101:8080/doc/6.exe
http://195.154.126.245:8080/doc/6.exe


This binary has a VirusTotal detection rate of 7/54 and the Malwr report shows it contacting the following URLs:

http://212.59.117.207/fJ5SAAWU%7EQh@T%7E/.c0ip%2D~wm&4iS$2%20/@sVAEx5n%2Dq2fhFR%2C2E3nTsY7CsJG
http://217.160.228.222/mqtGeOgnz/1%7EzXP@%20F~YhNF/tznfsAv2%2BWsXzjfHO2$0XGvz/eyWejESZTRrqx2vf/&


It also drops a file 2.tmp which is actually a DLL with a VirusTotal detection rate of 14/54 which identifies it clearly as a variant of  Cridex.

Recommended blocklist:
212.59.117.207
217.160.228.222
91.222.139.45
81.7.3.101
195.154.126.245

UPDATE: a contact tells me that this malware also connects to a config file at:
212.59.117.207:8080
91.222.139.45:8080
..so I have updated the blocklist above to include these.

Tuesday, 28 October 2014

"INVOICE 101760 from Power EC Ltd" spam

This spam supposedly comes from a company called Power EC Ltd, but it doesn't. Instead it come with a malicious Word document.

From:     soo.sutton77@powercentre.com
Date:     28 October 2014 11:01
Subject:     INVOICE 101760 from Power EC Ltd

Please find attached INVOICE number 224244 from Power EC Ltd

The invoice number varies, as does the name of the attachment but it will be similar to INVOICE101760.doc which has a VirusTotal detection rate of 5/53. This contains this malicious macro [pastebin] which attempts to download a file from http://Riccis.homepage.t-online.de/Testseite/js/bin.exe which is currently 404ing but I believe to be the same payload as this [virustotal].  The Malwr analysis for that file shows it communicating with the following URLs:

http://62.75.184.70/T.T0gVY%26&s/=oj%26JT/LmoN$TxJ/SR%2COCs@0%26
http://116.48.157.176/EZE31=/zUtYQwx7rN.1UZ%20~a=/xe_j%2DhYKg+l%20P
http://116.48.157.176/CYJ4/oh$MI$G%24%3D/p%2Bab8GlH03sF%3F$u
http://116.48.157.176/EWvGnaBBxO%240ikV=o0ERs/vZsGSv6BuW9AESTs9fsiSJC$so/V72C
http://116.48.157.176/vA8rtgvLo~p%20pspL%2C61%3F/1rq&%2BpubuB%7Ei.Sfci2Hxp8=A4xuF/b5m%3D%20HccnqS3/9

Recommended blocklist:
62.75.184.70
116.48.157.176

UPDATE 2014-11-12
Another version of this spam is doing the rounds, very similar in nature:

From:     soo.sutton@powercentre.com
Date:     12 November 2014 12:57
Subject:     INVOICE 224245 from Power EC Ltd

Please find attached INVOICE number 224245 from Power EC Ltd
I have only seen one version of this with a malicious attachment 14153.DOC which has a VirusTotal detection rate of 4/55, which contains this malicious macro [pastebin] which attempts to download a component from http://fruido.de/js/bin.exe to %TEMP%\XZLNXTMSJUX.exe but fortunately that download location is not working (however, there could well be other download locations).

UPDATE 2014-12-08
A further version of this spam run is under way, described here.

Monday, 27 October 2014

Randomly generated "invoice xxxxxx October" spam comes with a malicious Word document

There have been a lot of these today:

From:     Sandra Lynch
Date:     27 October 2014 12:29
Subject:     invoice 0544422 October

Please find attached your October invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 0544422 Account No 5600544422.
Thanks very much

Kind Regards


Sandra Lynch
The numbers in the email are randomly generated, as is the filename of the attachment (in this example it was invoice_0544422.doc).

The document itself is malicious and has a VirusTotal detection rate of 5/53. Inside the Word document is a macro [pastebin] that attempts to download an execute a malicious binary from http://centrumvooryoga.nl/docs/bin.exe which is currently 404ing which is a good sign.

There's a fair chance that the spammers will use this format again, so always be cautious of unsolicited email attachments.

Friday, 24 October 2014

Do people really fall for this?

Here's a simple phishing spam..
From:     info@kythea.gr
Date:     24 October 2014 13:50
Subject:     payment

this mail is to inform you that the payment have been made
see the attached file for the payment slip

ANTON ARMAS
Attached is a file payment Slip (2).html which displays a popup alert:
You have been signed out of this account this may have happened automatically cause the attachement needs authentication. to continue using this account, you will need to sign in again. this is done to protect your account and to ensure the privacy of your information
The victim then gets send to a phishing page, in this case at uere.bplaced.net/blasted/tozaiboeki.webmail.html which looks like this..

Ummm... do people really fall for this? The frightening answer is.. probably, yes.


"You've received a new fax" spam.. again.

Another day, another fake fax spam.
From:     Fax [fax@victimdomain.com]
To:     luke.sanson@victimdomain.com
Date:     24 October 2014 10:54
Subject:     You've received a new fax

New fax at SCAN2383840 from EPSON by https://victimdomain.com
Scan date: Fri, 24 Oct 2014 15:24:22 +0530
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://galeriaslodkosci.pl/efax/document.php

(eFax Drive is a file hosting service operated by J2, Inc.)
The link in the email goes to a script which (if the the browser settings are correct) downloads a file document_92714-872_pdf.zip which in turn contains a malicious executable document_92714-872_pdf.exe which has a VirusTotal detection rate of 3/54. The Malwr report shows the following URLs are contacted:

http://188.165.214.6:20306/2410uk1/HOME/0/51-SP3/0/
http://188.165.214.6:20306/2410uk1/HOME/1/0/0/
http://188.165.214.6:20306/2410uk1/HOME/41/5/1/
http://rodgersmith.com/css/2410uk1.oss

The malware also drops two executables on the system, kcotk.exe (VT 0/53, Malwr report) and ptoma.exe (VT 2/51, Malwr report).

Recommended blocklist:
188.165.214.6
rodgersmith.com

Bitstamp.net "New bank details" spam

This fake email pretending to be from Bitstamp.net (a Bitcoin exchange) is meant to have a malicious payload (probably a Word document) but in the sample I have seen that payload is missing. However, if you receive a similar email then wth an attachment then it is probably malicious.

From:     Bitstamp.net [no_reply@bitstamp.net]
Date:     23 October 2014 14:48
Subject:     New bank details

New banking details

Dear Bitstamp clients,

We would like to inform you that Bitstamp now has new bank details, please check attached file.

We would like to assure those of you who sent deposits to our old details that our old IBAN is still active and your transfers, if otherwise sent with correct information, should arrive without a problem.

Please note that SEPA transfers usually take 1 to 3 business days to arrive and would kindly ask those waiting for your SEPA transfers longer than usually to please send us a transfer confirmation so that we can examine our bank account log and locate your transfers.

Also for those waiting on deposits we ask for your patience; we have accumulated a long list of transfers which lack information or contain wrong information which means we need to manually go through all of them instead of our system sorting them automatically.

Best regards
CEO, Nejc Kodrič
Bitstamp LIMITED
Despite the hype, very few people actually deal with Bitcoins and I suspect even fewer use this particular exchange, so I assume that the attackers in this case are very interested in targeting Bitcoin owners specifically.

Thursday, 23 October 2014

"Voice Mail" (voicemail_sender@voicemail.com) spam

Before you open something like this.. think if you really get voice mail notifications through your email. No? Well, don't open it.
From:  "Voice Mail" [voicemail_sender@voicemail.com]
Date:  Thu, 23 Oct 2014 14:31:22 +0200
Subject:  voice message from 598-978-8974 for mailbox 833

You have received a voice mail message from 598-978-8974
Message length is 00:00:33. Message size is 264 KB.

Download your voicemail message from dropbox service below (Google Disk
Drive Inc.):

http://itsallaboutrice.com/documents/doc.php
Clicking the link goes to a script that detects if the visitor is running Windows, if so it downloads a file doc_9231-92_pdf.zip from the target system which in turn contains a malicious executable doc_9231-92_pdf.exe which has a VirusTotal detection rate of 4/51.

The Malwr report for that binary shows it communicating with the following URLs:

http://188.165.214.6:18608/2310uk1/HOME/0/51-SP3/0/
http://188.165.214.6:18608/2310uk1/HOME/1/0/0/
http://188.165.214.6:18608/2310uk1/HOME/41/5/1/
http://inaturfag.com/files/2310uk1.oss

188.165.214.6 is rather unsurprisingly allocated to OVH France. It also drops a couple of executables onto the system, nlsio.exe (VT 4/48, Malwr report) and qhcjp.exe (VT 0/51, Malwr report).

Recommended blocklist:
188.165.214.6
inaturfag.com



Fake supertouch.com / Allied International Trading Limited "Order Confirmation spam"

This fake Order Confirmation spam pretends to come from supertouch.com / Allied International Trading Limited but doesn't. The email is a forgery originating from an organised crime ring, it does not originate from supertouch.com / Allied International Trading Limited nor habe their systems been compromised in any way.

From:     Elouise Massey [Elouise.Massey@supertouch.com]
Date:     23 October 2014 10:52
Subject:     Order Confirmation

Hello,

Thank you for your order, please check and confirm.

Kind Regards


Elouise

Allied International Trading Limited
Unit 1A
Hubert Road
Brentwood
Essex
CM14 4JE
United Kingdom
Telephone 0845 130 9922
Fax 0845 130 9933
In the sample I received, the attachment was corrupt but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run (read that post for more details) and is very poorly detected, although blocking access to the following IPs and domains might help mitigate against it:

87.106.84.226
84.40.9.34
jvsfiles.com

Wednesday, 22 October 2014

"This email contains an invoice file attachment" spam contains poorly-detected malware

This fake invoice spam has a malicious Word document attached.

From:     Brittney Spencer , Customer service [Fitzgerald.79f7@host-77-242-217-170.telecomitalia.sm]
Date:     22 October 2014 12:46
Subject:     Reference:ZHO904856SU

 This email contains an invoice file attachment ID:ZHO904856SU



Thanks!

Brittney Spencer .
In this case the attachment was ZHO904856SU.doc which contains a malicious macro, however at the moment the document is showing a VirusTotal detection rate of 0/54.

Attempting to open the document gives the following message:

You didn't enable macros.
Content cant be visible.

..along with an embedded image to tell you how to turn macros off.

If the victim does this, then this malicious macro [pastebin] runs and downloads an executable from http://162.243.234.167:8080/gr/4.exe which has a VirusTotal detection rate of just 1/53.

The Malwr analysis shows this binary posting data to: http://178.250.243.114/IArej7rcO/@HPZ8A5aPU_W/

The 178.250.243.114 IP address is allocated to MajorDomo LLC, Russia. The executable also drops a malicious DLL using the name 2.tmp which also has a VirusTotal detection rate of 0/54.





Tuesday, 21 October 2014

Fake "Humber Merchants Group / humbermerchants.co.uk" Industrial Invoices spam

This fake spam pretends to come from the legitimate firm Humber Merchants but doesn't. It's a forgery, Humber Merchants are not sending out this spam nor have they been hacked or compromised.

From:     ps7031112@humbermerchants.co.uk
Date:     21 October 2014 15:21
Subject:     Industrial Invoices

Attached are accounting documents from Humber Merchants

Humber Merchants Group

Head Office:
Parkinson Avenue
Scunthorpe
North Lincolnshire
DN15 7JX

Tel: 01724 860331
Fax: 01724 281326
Email: sales@humbermerchants.co.uk

--
Automated mail message produced by DbMail.
Registered to Humber Merchants Limited  , License MBS2008354.
Attached is a malicious Word document 15040BII3646501.doc which has a VirusTotal detection of 6/54. The Malwr report gives a little detail as to what it going on, but the crux of it is that if you have macros enabled then they will download and execute a malicious binary from http://gpsbah.com/images/1.exe which has a VirusTotal detection rate of 11/53 and which the Malwr report  indicates then connects to the following URLs:

http://62.75.182.94/eQ7j0+Z7/kfnmylxhl/%7EaEskub2Av7ZSh%20v@q%2Ct6W/@
http://62.75.182.94/CzUO1%20cxp%3DkLsR&/RTlIMuF1Wo/EWhm1z.ZuO8%2C2/sH@%3Fnqiakk_Tq/
http://62.75.182.94/X4mSfKkEhOPU%242cqi5W%3F%20&1Iql%20Byr/%2D588l0wY3w+=SsKQut1mgPzk%2C%24G+seO%3F
http://62.75.182.94/zms%3F@&JoTAN%2C/0C%20%2Bk+nCk_/p%20rxIqpUOyt%3FYR4W1g%2B
http://62.75.182.94/oX83KZqm@WZ%2BM%3F%20wQG@$24+/h5@RnK5~Y@7&mKGc%2C1%7E0/BhmOUE~Xf/_T_%20GSN

62.75.182.94 is a Serverloft / Intergenia IP address in Germany.

Recommended blocklist:
62.75.182.94
gpsbah.com

UPDATE 2014-10-23

Another version of the attachment is doing the rounds, this time the attachment has a detection rate of 0/54  (Malwr report) but in this case it downloads a file from http://jvsfiles.com/common/1.exe which has a detection rate of just 1/54.

According to the Malwr report, that binary contacts the following URLs:

http://84.40.9.34/kSIfRXSnEP25k76mz/9_oSoYWIoYi0/0%2B.tYWE05j%7EVA%24k/Jnt%26
http://87.106.84.226/SYh7Y+NbkSk74/mWbqM9m/L2o/%26hA%2DFG
http://87.106.84.226/QzteG3org5I%3Fa/@&e%7EfgonN%205ccf~qCi2/1_%2C%26A3QPq%3F/w56KC%2D4B0lFMbghLcFm
http://87.106.84.226/jooywueelxs/=+juqybp3sc/%2Db.mm01%24__s3/r1&iw2%20a+%3Dse%24%20@m1bpe%24%20ru/
http://87.106.84.226/pIQ%3FSS%3F%2DPC%207/%7E=jN%3Fh5e%3FP%20mB

87.106.84.226 is 1&1, Germany and 84.40.9.34 is Hostway, Belgium.

This executable drops a DLL on the system which is also poorly detected with a detection rate of 1/54.

Recommended blocklist:
87.106.84.226
84.40.9.34
jvsfiles.com

UPDATE 2014-11-13

A fresh round of spam has started with the same template. So far I have seen two documents with low detection rates [1] [2] [Malwr report] that drop one of two malicious binaries [1] [2] [pastebin] from one of these locations:

http://body-fitness.net/js/bin.exe
http://live.znicz-pruszkow.cba.pl/mandoc/js/bin.exe

This is also poorly-detected according to VirusTotal. The Malwr report for this shows that it reaches out to the following URL (again):

http://84.40.9.34/Xe0RBsy6nU2qow&nr7pGA%3DTWw./%7EwosMJ_V46G3/5Cqmr+6S/1ZzUf

It also drops a DLL identified by VirusTotal as Dridex.

Monday, 20 October 2014

beeg.com hacked (again)

This summary is not available. Please click here to view the post.

Adobe Billing "Adobe Invoice" spam / adb-102288-invoice.doc

This fake Adobe spam has a malicious Word document attached.

From:     Adobe Billing [billing@adobe.com]
Date:     20 October 2014 11:33
Subject:     Adobe Invoice

Adobe(R) logo    
Dear Customer,
Thank you for signing up for Adobe Creative Cloud Service.

Attached is your copy of the invoice.
Thank you for your purchase.

Thank you,
The Adobe Team
Adobe Creative Cloud Service
Adobe and the Adobe logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. All other trademarks are the property of their respective owners.

© 2014 Adobe Systems Incorporated. All rights reserved. 

Attached is a malicious Word document adb-102288-invoice.doc which has a VirusTotal detection rate of just 1/53, the Malwr report shows there are macros in the document then try to run when it is open. If macros are enabled, this then downloads and executes a malicious binary from http://pro-pose-photography.co.uk/fair/1.exe which also has a pretty poor detection rate of 2/53.

According to the Malwr report, this binary then reaches out to the following URLs:

http://62.75.182.94/66mAzAj8ko%2Ch$n=pS%3FgfE@%3Dx%7Efa/%24ysusij%2B%2C%2C%20kCbh2tc8ex%3Dnsgr_/%26
http://208.89.214.177/xWmWEs0Br+3%26KH0/ES$B6JR%2C+j3K2./%20SB
http://208.89.214.177/6ly5iKYr&q$%2CIYA/9Y8STPqNxu/j2hfMb6S
http://208.89.214.177/O4tHj8hw9RA~P%3FkB69agw.ksFx_&ce@%2DV%24/%2BSUq%2DBP$%24zqFH.O%2BRg%20%20/T%2D
http://208.89.214.177/yr3=E~SS+/%2Df7Y.OZk3M/~Ww6A3~33YQ%24UT%3D

The IPs in question are 208.89.214.177 (Virpus, US) and 62.75.182.94 (Intergenia, Germany).

The Malware then drops another malicious binary 2.tmp (which looks like a DLL). The VirusTotal detection rate for this is only 1/54. The Malwr report is inconclusive.

Recommended blocklist:
208.89.214.177
62.75.182.94
pro-pose-photography.co.uk

Saturday, 18 October 2014

Evil network: 5.135.230.176/28 (OVH / "Eldar Mahmudov" / mahmudik@hotmail.com)

These domains are currently hosted or have recently been hosted on 5.135.230.176/28 and all appear to be malicious in some way, in particular some of them have been hosting the Angler EK (hat tip).

Domains that are currently hosted in the range are in listed below, domains flagged as malicious by Google are highlighted. I think it is safe to assume that all these domains are in fact malicious.

basedgi.com
californikationde.com
weryipols.com

califkoli.com
cxzpolnaser.com
drifaert.com
duewks.com
gutjikolma.com
jioksud.com
metrixhistory.com
metrix-history.com
metrixhistory.net
metrix-history.net
metrixhistory.org
msdiw.com
oilbuyrew.com
qwecufd.com
siteinformationews.com
tregtpol.com
vfnpol.com
zasd-a.com
zdkuvb.com
zxlkjv.com
zxobciu.com
nhmnewf.com
youfromneverais.com

akssfmqw.com
asdpvo.com
asdv-dvd.com
car0project.com
car-auto.org
car-project.net
car-purchased.com
dfgxz.net
fg-kcdj.com
ghjkhfyoufromnever.com
groupsert.com
iubhss.com
lolitesgray.com
nzolas.com
poilcebert.com
ppilohbh.com
scentifickol.com
sedrcsepol.com
trust-plast.com
trustplast.net
trustplast.org
trust-plast.org
ucxy-pop.com
youfromnev.com
youfromnever.com
youfromneveras.com
youfromneverhg.com
youfromneverjia.com
youfromneverkils.com
youfromnevermin.com
youfromneverplo.com
youfromneverred.com
youfromneverret.com
youfromneversjh.com
fg-kcdj.net
oiunfc.com
polsheru.com
sc-sdj.com
vpn-portable.com
xcuvh.com
xdg-hn.com
xdg-yuj.com

aisuvhn.com
aodivbjka.com
aodivja.com
asoiuvaq.com
asvuyhaq.com
iauygcaik.com
qiosunva.com
qixzefka.com
qoibvjma.com
sc-sdj.net
sdiuvhnsd.com
siduv.com
siduyvh.com
siudh.com
siudhbns.com
siudvhswa.com
siuhnsdv.com
skicuhvs.com
sodiuvq.com
usdyvb.com
wdhyb.com
wiudcn.com
xciub.com
xdg-hn.net
xdvn-vpn.com
zidxvhnd.com
zixuvhk.com
zkiuxhvs.com
zo9x8vh.com
zouvhasd.com
zsudhxcvnsdv.com
zucxvyb.com
aisduyh.com
aisuha.com
aaiuwd.com

aisduhvaq.com
aosduawq.com
aqsuyh.com
aqswif.com
asdiuha.com
asdiuvhas.com
asduihqnw.com
asioduh.com
asoicuh.com
ausyc.com
ausytb.com
fsdiyhv.com
ixuvnsd.com
ozdhgq.com
pok-da.com
pokda.net
qeivndv.com
qisucybv.com
quwysbn.com
qweyfbdx.com
sdifyvhw.com
sdivuwnq.com
shop-akicj.com
siduvns.com
siuvnsk.com
uaihc.com
usdybcn.com
uwysbx.com
uwytbgynua.net
uycvnxc.co
uycvnxc.com
uycvnxc.net
uycvnxc.org
wivnsals.com
wqduy.com
wyefb.com
zuyxgc.com
asiuvhwn.com
asycha.com
ausycgv.com
dvyhgqq.com
dxuyvg.com
iasduvh.com
ioaqus.com
iounsdv.com
isauwmo.com
isdnwekal.com
ixuzdaov.com
oiswzvppiosa.com
qasiu8ych.com
qinasc.com
qweoiuvf.com

The following domains have recently been hosted in this space. Ones marked malicious by Google are highlighted, although I would again assume they are all malicious.

oficinaempleo.net
dinpdfob.com
doifbd.com
dovibm.com
fclkq.com
fc-sr.com
fc-sr.net
fcsr.org
fc-su.info
fc-su.net
fc-su.org
fc-we.com
fc-we.net
fc-we.org
fc-web.info
fc-web.org
gregogyparkinsold.com
ihkvh.com
ihk-vh.com
iuhcv.com
iuyuj.com
lifeforclablive.com
parkinonstreet.com
pro-fone.com
psodkb.com
pzxo.org
qsdgi.com
qs-dgi.com
sd-gg.org
selectionswest.com
sfiub.com
sharedskip.com
softlabprofessional.com
softportaldb.net
start-voice.com
trercvu.com
uygbko.com
werynewsgood.com
wetasqard.com
wetermarknilop.com
xpsharedwindow.com
zxxo.biz
zx-xo.com
zx-xo.net
alexwritter.com
asertqgj.com
combypist.com
doifnj.com
dvpok.com
fastimportkimy.com
fc-slose.com
fcsr.info
fc-su.com
fc-we.info
fc-website.com
fc-website.net
greengerlplaz.com
highfightertrack.com
htkw.info
ihkvh.net
ihk-vh.net
ihkvh.org
iuhcv.net
jxoei.com
lilpootwestside.com
mainrainbrain.com
opsdf.com
panterrosestat.com
proffottballstart.com
pzvo.net
pz-xo.com
pzxo.net
qfsdv.com
qsdgi.net
sdfjwq.com
sdgg.info
sd-gg.info
sd-gg.net
sdiouvb.com
softlab-professional.com
softlabprofessional.net
softlabprofessional.org
softportaldb.com
soinvplk.com
startvoice.net
stupidgirlcoolnice.com
w9gpo.com
wivbu.com
wqergjv.com
xocbjw.com
ysudpokv.com
zxxo.info
zxxo.org
gremypolicer.com
juaspo.com
justbulshed.com
utswbs.com
westsideclop.com

awertujiko.com
dertukilocer.com
dsbretcompany.com
dsbretcompanyinfo.com
dsbretcompanytv.com
dukillopder.com
fighteryouxc.com
juanitokilasrte.com
juaspo.net
noobhanter.com
opqwxcmn.com
pilotprof.com
politbujil.com
respozytoryol.com
retwsaerop.com
semenasder.com
systebnmilk.com
vhoermoer.com
vitopralik.com
westunasder.com
xpwindowssolut.com
asusstandbuy.com
bertaser.com
bestgreengey.com
fixmewhere.com
gjhytfg.com
h-tkw.net
iuojrt.com
kilsderc.com
lidhv.com
nerstdl.com
nulexgreen.com
oiyyio.com
oop-bn.com
oopbn.info
oop-bn.net
oopbn.org
oopcclop.com
siduvn.com
tgbkpo.com
usdygc.com
uytrd.com
uytrd.net
uytrd.org
wicunvw.com

aduyf.com
andourhernain.com
bestgreengay.com
bestgreenguy.com
bestguyup.com
betstgeyup.com
bmw-audi.com
bmw-seat.com
eofiu.com
fdgjmbv.com
h-tkw.com
htkw.org
maintrast.com
oopbn.com
oopgf.com
oop-gf.com
oopgf.net
oop-gf.net
oopgf.org
poljiocall.com
qiuewfh.com
quewyb.com
qwieuhf.com
sdiuh.com
sdufybn.com
siuww3.com
thebestpowriter.com
transnatgeo.com
uy-trd.com
zaqwscueexp.com
zixelgreen.com

5.135.230.176/28 is an OVH IP range allocated to what might be a ficticious customer:

organisation:   ORG-EM25-RIPE
org-name:       eldar mahmudov
org-type:       OTHER
address:        ishveran 9
address:        75003 paris
address:        FR
e-mail:         mahmudik@hotmail.com
abuse-mailbox:  mahmudik@hotmail.com
phone:          +33.919388845
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
changed:        noc@ovh.net 20140621
source:         RIPE


There appears to be nothing legitimate at all in this IP address range, I strongly recommend that you block traffic going to it.


Friday, 17 October 2014

"Final notification" malware spam uses a Google redirector and copy.com

This malware spam uses a Google redirector to retrieve malware hosted on copy.com:

From:     compplus@click.com.py
Date:     17 October 2014 17:04
Subject:     Final notification for support@victimdomain.com
       
Purchase Notice
   
Thank you for buying at our store!
   
Processed on October 17th 2014

We are happy to let you know that the package is on its way to you. We also attached delivery terms to residential address.

Payment #: 507040420
Order total: 2088.11 USD
Shipping date: October 18 2014.


Please hit the link given at the bottom to get more details about your order.

 Order details 

The link in this particular email is https://www.google.com/url?q=https%3A%2F%2Fcopy.com%2FU3k7IRbLXyIv%2FShippingLable_HSDAPDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNF6TQQctHxLItp_Nmdrx94MJkhmAA which downloads a malicious executable ShippingLable_HSDAPDF.scr and this has a VirusTotal detection rate of 3/54.

The automated analysis tools that have given results used so far [1] [2] [3] are inconclusive.

eFax message from "02086160204" spam

This fake eFax spam leads to malware:
From:     eFax [message@inbound.claranet.co.uk]
Date:     17 October 2014 11:36
Subject:     eFax message from "02086160204" - 1 page(s), Caller-ID: 208-616-0204

Fax Message [Caller-ID: 208-616-0204]

You have received a 1 page fax at 2014-10-17 09:34:48 GMT.

* The reference number for this fax is lon2_did11-4056638710-9363579926-02.



Please visit https://www.efax.co.uk/myaccount/message/lon2_did11-4056638710-9363579926-02 to  view  this message in full.

Thank you for using the eFax service!
 Home     Contact     Login
Powered by j2

© 2013 j2 Global, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.
The telephone number seems to very but is always in the 0208616xxxx format.

The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:

http://tadarok.com/wp-content/themes/deadline/mess.html
http://107.170.219.47/wp-content/themes/inove/mess.html
http://dollfacebeauty.com.au/wp-content/themes/landscape/mess.html

Then (if your user agent and referrer are correct) it goes to a fake eFax page at http://206.253.165.76:8080/ord/ef.html which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of naturaldietpills4u.com).


The download link goes to http://206.253.165.76:8080/ord/FAX_20141008_1412786088_26.zip which is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54.

The Malwr report is interesting because it contains many references to bacstel-ip which is the name of an online payment system used by UK businesses. The malware also contains the string
runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc
 If you are a sysadmin then you might recognise this as being the "Active Directory Users and Computers" admin tool. So, are the bad guys probing for sysadmins?

The malware connects to the following URLs:

http://212.59.117.207/yqqwe9mN5yoZJwBcwDqo0kTckoyNuHmw3cXoyRRFa/kaT1aBHyLi9Ne5TcaVNg3ik0NkDZ4ZqwwP/J9s1iNPmFwLiTgJuwky
http://107.170.19.156/sqVT2amDRPXDRkRmkcoyki5kimRHkZyuiqNJuV4eo/RZDe9aPekT5wqB75ge8PXHeN
http://107.170.19.156/VmwBacsascVDgHgFsDu/37PDXaX6ZVTuJ7LDeyaosTiXcZiNPg1FZak/D3TqP4RD8o1HX0TVFqkRBJwc7i
http://107.170.19.156/5XuammNFaHN8HNmD95sHik/a7mHqwFDD4ayHiuk5DeZasiXNuFucy1o/PqXNkwTu69c/1kgyo7gauTouq/wsLPNw91iN5mBL5HJsiJTmge

I recommend blocking 107.170.19.156 (Digital Ocean, US), 212.59.117.207 (IO-Hosts Ltd, Russia) and 206.253.165.76 (Arachnitec, US)

Recommended blocklist:
107.170.19.156
212.59.117.207
206.253.165.76