Sponsored by..

Monday, 26 January 2015

Malware spam: "Berendsen UK Ltd Invoice 60020918 117" / "donotreply@berendsen.co.uk"

UPDATE: a new spam run using this firm's name is active as of 24th February. For more information click here.

Berendsen is a wholly legitimate firm in the textiles and laundry business. They are not sending out this spam, nor have their systems been compromised in any way. Instead, this email is a forgery with a malicious Word document attached.

From:    donotreply@berendsen.co.uk
Date:    26 January 2015 at 06:43
Subject:    Berendsen UK Ltd Invoice 60020918 117

Dear Sir/Madam,

Please find attached your invoice dated 1st January.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.


Thank you.

___________________________________________________________
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.

Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604
Attached is a malicious Word document with a zero detection rate which contains a malicious macro [pastebin], and this in turn downloads a binary from:

http://elektromarket.cba.pl/js/bin.exe

This executable is saved as %TEMP%\LAVUBDAJLCD.exe and has a VirusTotal detection rate of 2/57 (Norman AV identified it as Dridex).

Automated analysis [1] [2] [3] [4] is proving difficult, a contact suggests that Botnet 125 (which is behind this spam run) is having stability problems. Shame.

Friday, 23 January 2015

Malware spam: "You have received a new secure message from BankLine"

For some reason these RBS BankLine spam messages are a popular mechanism for the bad guys to spread malware.

From:    Bankline [secure.message@rbs.com.uk]
Date:    23 January 2015 at 12:43
Subject:    You have received a new secure message from BankLine

You have received a secure message.

Read your secure message by following the link bellow:

http://donumyok.com/RBS-DATA.STORAGE/personal.document.html

----------------
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly.
For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 3513.
The link in the email seems to be somewhat dynamic, as I have also seen this slightly different variant of:

http://donumyok.com/RBS_BANK-ONLINE_SECURE_STORAGE/receive.personal-document.html

The landing page looks like this:


The link on that landing page goes to http://animation-1.com/js/jquery-1.41.15.js?get_message which downloads a ZIP file called Bankline_document_pdf71274.zip (or something similar) containing an executable file named something like Bankline_document_pdf24372.exe. The numbers change in each case, and indeed the executable changes slightly every time it is downloaded.

The ThreatExpert report shows that it attempt to communicate with the well-known-bad-IP of 202.153.35.133 (Excell Media Pvt Ltd, India) which is associated with the Dyre banking trojan.

Malware spam: "IRS Fiscal Activity 531065" / "support@irsuk.co"

This fake IRS spam actually does use the irsuk.co domain to host malware.

From:    IRS [support@irsuk.co]
Date:    23 January 2015 at 11:46
Subject:    IRS Fiscal Activity 531065

Hello, [redacted].

We notify you that last year, according to the estimates of tax taxation,
we had a shortage of means.
We ask you to install the special program with new digital certificates,
what to eliminate an error.

To install the program go to the link above:
http://irsuk.co/DownloadIRSService/SetupIRS2015.zip


Thanks
Intrenal Revenue Sevrice
London W1K 6AH
United Kingdom
The ZIP file contains a malicious executable SetupIRS2015.exe  which has a VirusTotal detection rate of 8/53. The irsuk.co site is hosted on 89.108.88.9 (Agava Ltd, Russia). The Malwr report shows it phoning home to garbux.com (78.24.219.6 - TheFirst-RU, Russia)

The WHOIS details for the domain are almost definitely fake, but kind of interesting..

Registrant ID:               CR185450554
Registrant Name:             Thomas McCaffrey
Registrant Organization:     Real Help Communications, Inc.
Registrant Address1:         3023 Anzac Avenue
Registrant City:             Roslyn
Registrant State/Province:   Pennsylvania
Registrant Postal Code:      19001
Registrant Country:          United States
Registrant Country Code:     US
Registrant Phone Number:     +1.2158872818
Registrant Email:            tom@realhelp.net


They're interesting because these really are the valid contact details for Real Help Communcations, Inc which makes me wonder if their domain account at GoDaddy has been compromised.

A look at 89.108.88.9 shows there is only one active website on that IP address (irsuk.co) , but the host on the IP identifies itself as ukirsgov.com which is a domain created on the same day (2015-01-19) but has been suspended due to invalid WHOIS details (somebody at csc.com), which was hosted on a Bosnian IP of 109.105.193.99 (Team Consulting d.o.o.).That IP is identified as malicious by VirusTotal with a number of bad domains and binaries.

The malware POSTS to garbux.com which Sophos identifies as a characteristic of the generically-named Troj/Agent-ALHF.

Overall, automated analysis tools are not very clear about what this malware does [1] [2] [3] [4] [5] although you can guarantee it is nothing good.

Recommended blocklist:
89.108.88.9
78.24.219.6
109.105.193.99
irsuk.co
garbux.com
ukirsgov.com
updateimage.ru
getimgdcenter.ru
agensiaentrate.it
freeimagehost.ru




Malware spam: "2014 Tax payment issue" / "Your tax return was incorrectly filled out"

This tax-themed spam has a malicious Word document attached. It appears to come in several variants, for example:

From:    Quinton
Date:    23 January 2015 at 08:18
Subject:    2014 Tax payment issue

According to your tax payments for 2014 year period we found that you gave a wrong legal address in your last tax payment. In order to avoid penalty fees on your tax dues we ask you to contact our specialist having checked the previous payment in advance (the DOC invoice attached below).

Regards
Quinton
Tax Inspector

-----------------

From:    Tara Morris
Date:    23 January 2015 at 09:28
Subject:    Your tax return was incorrectly filled out

Attention: Accountant

This is to inform you that your legal address was filled incorrectly while completing the last tax form application for 2014 year.
In order to avoid penalty fees during the next tax period please contact our expert as soon as you check the payment details (the DOC invoice attached below).
Attached is a Word document with a random name, but always starting with "TAX_". Examples include:

TAX_42592OE.doc
TAX_381694AI.doc
TAX_59582FZ.doc

There are two different variants of this Word document that I have seen so far, neither are detected by AV vendors [1] [2] containing one of two malicious macros [1] [2] that download a file 20.exe from the following URLs:

http://37.139.47.221:8080/koh/mui.php
http://95.163.121.82:8080/koh/mui.php


This file is then saved to %TEMP%\GYHjksdf.exe and has a low detection rate of 2/56 (Norman AV identifies it as Dridex). The Malwr analysis is inconclusive, other analysis is pending.


Thursday, 22 January 2015

Yet more MyFax malware spam

There's another batch of "MyFax" spam going around at the moment, for example:

From:    MyFax [no-replay@my-fax.com]
Date:    22 January 2015 at 15:08
Subject:    Fax #4356342

Fax message

http://[redacted]/.-NEW_RECEIVED.FAX/fax.html
Sent date: Thu, 22 Jan 2015 15:08:30 +0000
Clicking the link leads to a page like this:


The download leads to an EXE-in-ZIP download which is a little different every time [1] [2] [3] [virustotal]. Detection rates are around 6/55.

The Malwr report shows communication with the following URLs:

http://202.153.35.133:51025/2201us22/HOME/0/51-SP3/0/
http://202.153.35.133:51025/2201us22/HOME/1/0/0/
http://when-to-change-oil.com/mandoc/story_su22.pdf
http://202.153.35.133:51014/2201us22/HOME/41/7/4/


Of these 202.153.35.133 is the essential one to block traffic to, belonging to Excell Media Pvt Ltd in India. A file axybT95.exe is also dropped according to the report, which has a detection rate of 7/48.

I haven't seen a huge number of these, the format of the URLs looks something like this:
http://[redacted]/.-NEW_RECEIVED.FAX/fax.html
http://[redacted]/NEW_FAX-MESSAGES/fax.letter.html
http://[redacted]/_~NEW.FAX.MESSAGES/incoming.html


Wednesday, 21 January 2015

"Hartford Tech Summit" aka BizSummits: What's wrong with this picture? (hartfordsummit.com / hartfordsummit.org)

Last year I called out serial spammers BizSummits for their use of stolen photographs that they were attempting to pass off as activities at one of those summits.

A comment on one of the posts indicates that BizSummits are suffering from a degree of butthurt because of this.

Hi Conrad, we just received an autonotice about the comment from Claire Le and were again hoping you would consider archiving/mothballing it because readers see the misleading title which is why the commenter incorrectly surmised BizSummits is a fake after reading it. I think you know it is not, we are glad to immediately make you a member of one of the groups if wished so you can login and watch/listen to hundreds of past meetings (impossible if it were really a fake), and we are also glad to cover your airfare from the UK if you wish to attend any of the in-person events (next on the schedule is the HartfordSummit.com in a few weeks and then a series in Chicago in April including a CIO roundtable you might have interest in attending). Thank you for your consideration. 
 HartfordSummit.com? That's a new one on me. Let's head over to that website.


If you read my previous post on these folks, you might guess where this is going.

Now, bearing in mind the cringing embarrassment they must have felt when I pointed out that all the photos on their sites were of something else entirely, you would expect that they'd use a genuine photograph of one of their summits. I mean, everyone has a digital camera, right? It would be hard to avoid taking a photograph of one of these summits. And they have so many of them.

Let's have a closer look at that photo (http://loadurl.org/hartfordsummit/images/whatsnew.jpg)

It certainly looks like a seminar or summit. But let's see what a Google Reverse Image Search says..


It guesses that this is a picture of "business seminars" and reveals that the same photo is in use on many different sites. And in fact, you just need to do a Google image search for "Seminars" and it turns up in a prominent position.


So now we need some detective work, the original image doesn't appear to be online but I can find a slightly higher resolution one.


There's an interesting sign on the wall..


"The Ivy Review" it says. That matches pretty closely with a photo from ivycenters.com which has a very similar photograph.



This photograph was taken in the Santa Clara Convention centre. That's about 3000 miles from Hartford, but that's not really the point. The point is that this appears to be the photograph of a completely different convention from a completely different organisation. It is certainly a commonly used picture for "seminars" that people paste in when they haven't actually got a picture.

In fact, I have never seen a verifiable photo of any BizSummits event. Perhaps I am looking in the wrong place. Perhaps someone needs to buy BizSummits a digital camera. Draw your own conclusions.

As for a free trip to Connecticut to see BizSummits in action. Yeah, I think I'll pass on that offer.

Tuesday, 20 January 2015

Malware spam: "Barclays - Important Update, read carefully!" / "Barclays Online Bank [security-update@barclays.com]"

This fake Barclays spam leads to malware.

From:    Barclays Online Bank [security-update@barclays.com]
Date:    20 January 2015 at 14:41
Subject:    Barclays - Important Update, read carefully!

Dear Customer,

Protecting the privacy of your online banking access and personal information are our primary concern.

During the last complains because of online fraud we were forced to upgrade our security measures.

We believe that Invention of security measures is the best way to beat online fraud.

Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.

For security reasons we downloaded the Update Form to security Barclays webserver.

You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.

- Please download and complete the form with the requested details:  http://fizza.ro/BARCLAYS~ONLINE.BANKING~UPDATE/update.html

- Fill in all required fields with your accurately details (otherwise will lead to service suspension)

Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.

Thank you for your patience as we work together to protect your account.

Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.

Sincerely,

Barclays Online Bank Customer Service

We apologize for any inconvenience this may have caused.

(c) Copyright 2015 Barclays Bank Plc. All rights reserved.
The link in the email varies, some other examples seen are:
http://nrjchat.org/ONLINE~IMPORTANT-UPDATE/last-update.html
http://utokatalin.ro/ONLINE-BANKING_IMPORTANT/update.html
http://cab.gov.ph/ONLINE-IMPORTANT~UPDATE/last~update.html


Visiting these sites goes through some javascript hoops, and then leads to a ZIP file download which contains a malicious EXE that changes every time it is downloaded. The files are named in the general format update12345.zip and update54321.exe.

The file itself is an Upatre downloader, with poor detection rates [1] [2] [3].

The Malwr report shows traffic to the following URLs:
http://202.153.35.133:33384/2001uk11/HOME/0/51-SP3/0/
http://202.153.35.133:33384/2001uk11/HOME/1/0/0/
http://clicherfort.com/mandoc/eula012.pdf
http://202.153.35.133:33387/2001uk11/HOME/41/7/4/
http://essextwp.org/mandoc/ml1from1.tar

Out of these 202.153.35.133 (Excell Media Pvt Ltd, India) is one you should definitely block. This downloader drops several files including (in this case) %TEMP%\sJFcN24.exe which has a VirusTotal detection rate of just 3/57 and is identified as Dyreza.C by Norman anti-virus.

Malware spam: "Undefined transactions (need assistance)"

This spam comes in a few different variants, however the body text always seems to be the same:

From:    Joyce Mills
Date:    20 January 2015 at 10:30
Subject:    Undefined transactions (need assistance) Ref:1647827ZM

Good morning
I have recently found several payments on statement with the incorrect reference. Amounts appear to be from your company, could you please confirm these payments are yours and were made from your company's bank account. If no then please reply me as soon as possible. Thanks.
P.S. Undefined transactions are included in the attached DOC.

Regards,
Joyce Mills
Senior Accounts Payable
PAYPOINT

The reference number is randomly generated and changes in each case, attached is a malicious Word document also containing the same reference number (e.g. 1647827ZM.doc). Also the name in the "From" field is consistent with the name on the bottom of the email, although this too seems randomly generated. Some examples of names, job titles and companies in use include:
Joyce Mills
Joshua King
Gonzalo Hurley
Dona Bullock
Floyd Mcintyre
Courtney Berg
Latasha Mills

Senior Accounts Payable
Remittance Manager
Accounts Payable
Remittance Manager
Accounting Team
Chef Accountant
Senior Accountant

PAYPOINT
MAJEDIE INVESTMENTS
PETROPAVLOVSK PLC
JARDINE LLOYD THOMPSON GROUP
HENDERSON GLOBAL TRUST PLC
JOHNSON MATTHEY
BLACKROCK SMALLER COMPANIES TST PLC
I have seen two different variants of Word document in circulator, both undetected by AV vendors [1] [2] and each one contains a slightly different malicious macro [1] [2] [pastebin] which attempt to download from the following locations:

http://189.79.63.16:8080/koh/mui.php
http://203.155.18.87:8080/koh/mui.php

This file is downloaded as 20.exe and is then copied to %TEMP%\324234234.exe. It has a VirusTotal detection rate of 2/57. That report indicates that it attempts to phone home to:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)

This IP is commonly used in this type of attack, I would strongly recommend you block it.

The Malwr report shows that this drops a Dridex DLL with a VirusTotal detection rate of 2/57, which is the same DLL as seen earlier today.

Malware spam: "mereway kitchens [sales.north@mereway.co.uk]" / "Delivery Confirmation"

This rather terse spam comes with a malicious attachment. It is NOT from Mereway Kitchens and their systems have not been hacked or compromised in any way.


From:    mereway kitchens [sales.north@mereway.co.uk]
Date:    20 January 2015 at 08:24
Subject:    Delivery Confirmation

Delivery Confirmation
Attached is a file K-DELC-28279.doc which comes in two different versions, both of which are poorly detected by AV vendors [1] [2] and which contain one of two malicious macros [1] [2] [pastebin]. These attempt to download a file from one of the following locations:

http://solutronixfze.com/js/bin.exe
http://ems-medienservice.info/js/bin.exe

This payload is identical to the one found in this spam run which preceded it.

UPDATE 2015-01-23

A second spam run is underway, and although the email and attachment name are the same, the malicious macro itself is rather different. Both Word documents have zero detection rates [1] [2] and contain malicious macros [1] [2] that download another component from:

http://webcredit.be/js/bin.exe
http://www.gmilitaru.home.ro/js/bin.exe

This binary has a VirusTotal detection rate of 3/57. It probably drops the Dridex banking trojan, but analysis is inconclusive.

Malware spam: "Monika [monika.goetz@bigk.co.uk]" / "Proforma Invoice"

This fake invoice leads to malware. It is not being sent by Big K Products UK Ltd, their systems have not been hacked or compromised. Instead, the email is a forgery designed to get you to click the malicious attachment.


From:    Monika [monika.goetz@bigk.co.uk]
Date:    20 January 2015 at 07:18
Subject:    Proforma Invoice

Please find enclosed the proforma invoice for your order. Please let me know when payment has been made, so that the goods can be despatched.

Kind regards,

Monika Goetz
Sales & Marketing Co-ordinator


The document attached is Proforma.doc which is currently undetected by AV vendors. It contains a malicious macro [pastebin] which attempts to download a binary from:

http://solutronixfze.com/js/bin.exe

..which is saved to %TEMP%\324234234.exe. This has a VirusTotal detection rate of 2/56 and the Malwr report shows it attempting to phone home to:

59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)


These IPs have been used many times in similar recent attacks an I recommend you block them.

It also drops a DLL with a VirusTotal detection rate of 2/57.  The payload appears to be the Dridex banking trojan.

See also this post about a related spam run also in progress this morning.

Monday, 19 January 2015

Malware spam: "NatWest [donotreply@netwest.uk]" / "Important - Please complete attached form"

This spam claiming to be from NatWest bank (or is it nEtwest?) leads to malware.

From:    NatWest [donotreply@netwest.uk]
Date:    19 January 2015 at 14:02
Subject:    Important - Please complete attached form

*********************************************************************
This message has been scanned by the Bankline CSC SSM AV and found to be free of known security risks.
*********************************************************************

Dear Customer

Please find below your Banking Form for Bankline.

http://www.ipawclp.com/NEW-IMPORTANT-NATWEST_FORM/new.bankline_document.html
Please complete Bankline Banking Form :

- Your Customer Id and User Id - which are available from your administrator if you have not already received them

Additionally, if you wish to access Bankline training, simply follow the link  below

www.natwest.com/banklinetraining

If you have any queries or concerns, please telephone your Electronic Banking Help Desk.


National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer.

Internet e-mails are not necessarily secure. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent. National Westminster Bank Plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate

In this case the link in the email goes to www.ipawclp.com/NEW-IMPORTANT-NATWEST_FORM/new.bankline_document.html where it hits a couple of scripts at:

http://restaurantratiobeach.ro/js/jquery-1.39.15.js
http://utokatalin.ro/js/jquery-1.39.15.js

In turn, that leads to a ZIP file download which contains an EXE file which is slightly different each time it downloads, with low detection rates in all cases [1] [2] [3]. The name of the ZIP file and EXE varies, but is in the format doc12345.exe and doc54321.zip. Of note is a sort-of-informational screen on the download page.


Automated analysis is presently inconclusive [1] [2].

UPDATE:
@snxperxero suggests blocking the following sites:
202.153.35.133
loveshopclothing.com
credit490.com



Malware spam: "Traci Wilson" / "t.wilson@daviescranehire.co.uk" / "19TH JANUARY 2015.doc"

This rather terse spam does not actually come from Davies Crane Hire, but it is a forgery with a malicious Word document attached. Davies Crane Hire have not been hacked or compromised, and they are not sending out this spam.

From:    Traci Wilson [t.wilson@daviescranehire.co.uk]
Date:    19 January 2015 at 09:05
Subject:    19TH JANUARY 2015.doc
There is no body text, just an attachment called 19TH JANUARY 2015.doc which contains a malicious macro.

The documents in use and the payload are identical to this spam run that proceeded it. At the moment, everything has a very low detection rate. The payload is the Dridex banking trojan.



Malware spam: "repairermessages@fmg.co.uk" / "Insurance Inspection Arranged AIG02377973" / "FMG Support Group Ltd"

This spam does not come from FMG Support Group Ltd, but instead it is a forgery. FMG are not sending out the spam, nor have their systems been compromised in any way. Instead, this spam has a malicious Word document attached.
From:    repairermessages@fmg.co.uk
Date:    19 January 2015 at 07:24
Subject:    Insurance Inspection Arranged AIG02377973

FMG is committed to reducing its impact on the environment. Please don't print this email unless absolutely necessary.

Have you been impressed by one of our people?
If so, we'd love to hear about it. You can nominate someone for a Spirit award by emailing spirit@fmg.co.uk

FMG Support Group Ltd. Registered in England. No. 06489429.
Registered office: FMG House, St Andrews Road, Huddersfield, HD1 6NA.

Tel: 0844 243 8888
Email: info@fmg.co.uk

This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you received this email by mistake, please advise the sender by using the reply facility in your email software.

Outbound Message checked by Websense Mail Control.
Attached is a Word document AIG02377973-InsuranceInspectionArranged.doc which comes in at least two different versions, neither of which are detected by AV vendors [1] [2]. These documents contain two slightly different malicious macros [1] [2] which attempt to download a further component from:

http://chilan.ca/js/bin.exe
http://techno-kar.ru/js/bin.exe

This is saved as %TEMP%\324234234.exe which has a VirusTotal detection rate of 2/57. The Malwr report shows it attempting to communicate with the following IPs:

59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)


These two IP addresses have been used by this malware for a long time, I strongly recommend you block them. Also, a malicious DLL is dropped on the infected system with a detection rate of just 2/53.
 

Thursday, 15 January 2015

Malware Spam: "HEXIS (UK) LIMITED" / "Invoice from Hexis"

This fake invoice has a malicious attachment. It does not comes from Hexis UK Ltd, it is a forgery. Hexis is not sending the spam, nor have their systems been compromised in any way.

From:    Invoice from Hexis [Invoice@hexis.co.uk]
Date:    15 January 2015 at 06:36
Subject:    Invoice

Sent 15 JAN 15 08:30

HEXIS (UK) LIMITED
7 Europa Way
Britannia Park
Lichfield
Staffordshire
WS14 9TZ

Telephone 01543 411221
Fax 01543 411246 
Attached is a malicious Word document S-INV-CREATIFX-465219.doc which actually comes in two different versions (perhaps more) with low detection rates [1] [2] containing two slightly different macros [1] [2] which download a component from one of the following locations:

http://dramakazuki.kesagiri.net/js/bin.exe
http://cassiope.cz/js/bin.exe

This has a VirusTotal detection rate of 3/57. That report shows the malware phoning home to 74.208.11.204:8080 (1&1 Internet, US) which is a familiar C&C server which you should definitely block traffic to. My sources also identify a couple of other IPs, giving a recommended blocklist of:

59.148.196.153
74.208.11.204
81.27.38.97


UPDATE: the Malwr report shows that it drops a DLL with a VirusTotal detection rate of just 1/57.



Malware spam: Payment request of 4176.94 (14 JAN 2015)

This spam comes with a malicious Word document attached:

from:    Alan Case
date:    15 January 2015 at 08:49
subject:    Payment request of 4176.94 (14 JAN 2015)

Dear Sirs,

Sub: Remitance of GBP 4176.94

This is with reference to the above, we request you to kindly remit GBP 4176.94 in favor of our bank account.
For more information on our bank details please refer to the attached document.

Thanking you,
Alan Case Remittance Manager
Other names and job titles seen include:
Alan Case
Melisa Howell
Brooke Barr
Nanette Lloyd
Holly Hartman
Doreen Mclean
Lonnie Boyer
Jessica Richardson
Celeste Singleton
Katie Hahn
Marilyn Barnett
Lois Powell
Donald Yang
Christina Grimes
Keenan Graham
Muriel Prince
Chance Salazar
Francine Nixon

Accounting Team
Senior Accounts
Senior Accounts Payable
Senior Accountant
General Manager
Remittance Manager

The payment amount, name and job title change in each spam, as does the name of the attachment (although this following the format ADV0000XX). There are three malicious Word documents that I have seen, each with a low detection rate at VirusTotal [1] [2] [3] which in turn contain a slightly different macro [1] [2] [3] which attempt to download another component from one of the following locations:

http://95.163.121.71:8080/mopsi/popsi.php
http://95.163.121.72:8080/mopsi/popsi.php

http://136.243.237.204:8080/mopsi/popsi.php

Note the two adjacent IPs of 95.163.121.71 and 95.163.121.72 which belong to Digital Networks CJSC in Russia (aka DINETHOSTING), an IP range of 95.163.64.0/18 that I would recommend you consider blocking.  136.243.237.204 is a Hetzner IP.

The macro downloads a file g08.exe from these locations which is then saved as %TEMP%\UGvdfg.exe. This has a VirusTotal detection rate of 4/57. That VT report also shows the malware attempting to POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known bad IP.

The Malwr report is inconclusive, but this exectuable probably drops a Dridex DLL.

Recommended blocklist:
194.146.136.1
95.163.121.71
95.163.121.72
136.243.237.204

UPDATE: the following are Dridex C&C servers which you should also block:
80.237.255.196
85.25.20.107

Wednesday, 14 January 2015

Isabella Rossellini falls on hard times, starts sending SEO spam

Now, I enjoyed Isabella Rossellini very much in Blue Velvet ..


But it seems that she must have fallen on hard times and has started spamming for some Indian SEO outfit..

From:    Isabella Rossellini [isabellarosselliniwebmaster@hotmail.com]
Date:    14 January 2015 at 11:30
Subject:    SEO Package Get 25% Discount

Hi,

My name is Isabella Rossellini and working with a reputed leading S.E.O. Company in INDIA having the experience of getting our customer’s websites top in Google, Yahoo, and Msn and other search engine rankings producing high revenue with top page rank.

We provide a S.E.O. Special Offer going for the following package.

Monthly task and Responsibilities:-

1. 150 Directory submissions
2. 10 Social Bookmarking Submissions
3. 10 Article Submissions (1 article x 10 article directories)
4. 10 Press Release Submissions (1 press release x 10 press release websites)
5. Google Submissions
6. 1 unique, 400 word article written
7. 1 unique, 400 word press releases
8. 15 One Way back links with mix PR
9. Meta tags changes suggestions
10. Keyword research
11. Competitor Analysis
12. Heading tag changes
13. Alt tag changes
14. Interlinking wherever required.
15. Keyword Density in site content.
16. HTML Site Map
17. XML site map and Submission in webmaster tool
18.Search Engine Submission
19.Content Optimization
20.Deep linking submission

Wish u a happy,healthy,peaceful & prosperous 2015!!!

Let me know if you are interested and I would happy to send you more details on this.

Kind Regards

Isabella Rossellini
Online Marketing Executive
I suppose it is marginally possibly that this isn't the same "Isabella Rossellini" or indeed that the name is completely made up. Anyway, I think I will give this SEO spammer a wide berth.

Malware spam: "Les Mills Invoice" / "lmuk.accounts@lesmills.com"

This fake invoice pretends to come from Les Mills but it doesn't, it is a forgery and they are not sending out spam nor have their systems been compromised in any way. Instead, this is being sent by a botnet controlled by organised criminals and carries a malicious attachment.

From:    lmuk.accounts@lesmills.com
Date:    14 January 2015 at 07:49
Subject:    Les Mills Invoice

Dear Customer,
Please find attached an invoice for Les Mills goods/services.  Please note that for Licence Fee invoices the month being billed is the month in which the invoice has been raised unless otherwise stated within.
If you have any queries please email lmuk.accounts@lesmills.com or call 0207 264 0200 and select option 3 to speak to a member of the team.
Best regards,
Les Mills Finance Team
I have personally only seen one sample with an attachment Les Mills SIV035931.doc which is currently undetected by AV vendors and contains this malicious macro [pastebin]. This version of the macro attempts to download a component from:

http://ford-mustang.ro/js/bin.exe

..but this location is currently not working. However, my sources say that there is another download location of:

http://okurimono.ina-ka.com/js/bin.exe

which is loaded by a different version of the DOC that I have not yet seen. This file is saved as %TEMP%\dserrttfsdf.exe and has a VirusTotal detection rate of 2/57. The same source says that it downloads a DLL from the following IPs:

59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
81.27.38.97 (Webhuset Datasenter, Norway)

Some of this activity can be seen in the Malwr report including the dropped DLL which has a VirusTotal detection rate of just 2/57.

Recommended blocklist:
59.148.196.153
74.208.11.204
81.27.38.97

okurimono.ina-ka.com

Tuesday, 13 January 2015

Malware spam: "john.smith@mail-irs.gov" / "Your tax return was incorrectly filled out"

This fake tax return spam leads to malware:

From: John Smith [mailto:john.smith@mail-irs.gov]
Sent: 13 January 2015 11:13
Subject: Your tax return was incorrectly filled out


Attention: Owner/ Manager
We would like to inform you that you have made mistakes while completing the last tax form application (ID: 960164707883) .
Please follow the advice of our tax specialists HERE
Please amend the mistakes and send the corrected tax return to your tax agent as soon as possible.
Yours sincerely
The link in the email has a format such as:
http://marypageevans.com/taxadmin/get_doc.html
http://laser-support.co.uk/taxadmin/get_doc.html

A journey through some heavily obfuscated javascript follows (see here for a deeper analysis of this sort of attack) which eventually leads to a download called message.zip which contains a malicious executable tax_guide_pdf.exe which changes slightly every time it is downloaded. Incidentally, there seems to be a download limit of about 6 times, after which nonsense text is displayed instead.

The .exe file has a VirusTotal detection rate of just 2/57 and Norman identifies it as Upatre. According to the Malwr report it connects to the following URLs:

http://202.153.35.133:19639/1301us23/HOME/0/51-SP3/0/
http://202.153.35.133:19639/1301us23/HOME/1/0/0/
http://dstkom.com/mandoc/lit23.pdf
http://202.153.35.133:19657/1301us23/HOME/41/7/4/

It also drops a file (in this case called FbIpg60.exe) which has another low detection rate of just 2/57. Fake IRS spam is quite common, if you don't deal with the IRS then blocking mail-irs.gov on your email gateway might help.

Monday, 12 January 2015

Malware spam: Important - New Outlook Settings

There has been a large spam run going on in the past few hours with the subject "Important - New Outlook Settings", for example:

From: Administrator [mailto:Administrator@Outlook-us.com]
Date: Monday, 12th January 2015 16:21
Subject: Important - New Outlook Settings

Please carefully read the downloaded instructions before updating settings.

http://indemnizaciongarantizada.com/outlook/settings.html

This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@Outlook-us.com and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it. 
The download location varies but always has the same path. Here are some other sites in use:

equisolv.com
crm.martrada.com
drukart.home.pl
baypipo.com
hagarsatat.com
duedisnc.it
hinchablessegarra.com
ferramentarighi.it
eu1.panalinks.com
duckzone.kilu.de
indemnizaciongarantizada.com

This spam run is essentially very similar as others seen in recent days, for example this one. Clicking the link in the email will either lead to nonsense text or a file that downloaded as "message.zip ;.zip ;.zip ;" when I tried it.

Inside this ZIP file is an executable file that is slightly different each time it is downloaded. When I scanned one of these earlier, it turned out to have a very low detection rate.

The Malwr report shows that it drops another file that appears to be a banking trojan, and which also has low detection rates.

Malwr also reports malicious traffic to and from the following locations:

http://202.153.35.133:12028/1201uk1/HOME/0/51-SP3/0/
http://202.153.35.133:12028/1201uk1/HOME/1/0/0/
http://morph-x.com/mandoc/page_241.pdf
http://202.153.35.133:12011/1201uk1/HOME/41/7/4/

A tip-off also indicates that there will be traffic to coffeeofthemonth.biz.

Recommended blocklist:
202.153.35.133
morph-x.com
coffeeofthemonth.biz

Malware spam: "JPS Projects Ltd" / "Jason Bracegirdle" / "Summary Paid Against "

This fake finance email appears to be from a legitimate company called JPS Projects Ltd, but it isn't. Instead the email is a forgery being sent by an organised crime ring. JPS Projects are not sending this email, not have their systems been hacked in any way.

This email has a malicious Word document attached, the nature of the email itself indicates that it has been taken from a customer of JPS Projects that has been hacked and used as a template for the spam.

There is no need to email or phone JPS Projects, you should simply delete the email message without opening the the attachment.

From:    Jason Bracegirdle JPS Projects Ltd [jason.bracegirdle@jpsprojectsltd.co.uk]
Date:    12 January 2015 at 10:50
Subject:    Summary Paid Against

Please find attached summary which was paid against

Jas




JPS
Jason Bracegirdle  Managing Director

M: 07912 883455O: 02031 741416F: 02030 700632E: jason.bracegirdle@jpsprojectsltd.co.ukW: www.jpsprojectsltd.co.uk
QMS ISO 9001QMS ISO 14001OHAS 18001
Manchester
402 Chaddck Lane
Astley
Manchester
M29 7JS
London
Unit 9,
Bunns Lane Works,
Bunns Lane,
Mill Hill,
London
NW7 2AJ

JPS
This e-mail is confidential and is intended solely for the use of the individual or entity to whom it is addressed. If you are not the intended recipient and you have received this e-mail in error then any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. You should contact the sender by return e-mail and delete and destroy all the information from your system. Any views or opinions presented are solely those of the author and do not necessarily represent those of JPS. This email does not form part of a legally binding agreement. We have taken precautions to minimise the risk of transmitting software viruses or trojans, but we advise that you carry out your own virus checks on any attachments to this message. We cannot accept liability for any loss or damage caused to your software, hardware or system.
More information about JPS can be found at our website at: http://www.jpsprojectsltd.co.uk

Attached is a file Copy of Weekly Summary 28 12 2014 w.e 28.12.14 which actually comes in two versions, both with a VirusTotal detection rate of 3/56 [1] [2]. The payload is exactly the same as used in this earlier spam run today and it leads to the Dridex banking trojan.