Sponsored by..

Wednesday, 13 May 2015

Malware spam: "Need your attention,''Important notice" / "Financial information" / "Important information"

This mix of spam messages come with a malicious attachment:

From:    Johnny Higgins [JohnnyHigginsyb@mail.whitsoncm.com]
To:    "it-dept@victimdomain"
Date:    13 May 2015 at 11:39
Subject:    Need your attention,''Important notice

Good Afternoon,

We have received a payment from you for the sum of £ 686.  Please would you provide me with a remittance, in order for me to reconcile the statement.

I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1564  less the £3254.00 received making a total outstanding of £ 878.  We would very much appreciate settlement of this.

As previously mentioned, we changed entity to a limited company on 1st December 2014.  We are keen to close all the old accounts down, for both tax and year end reasons.  We would be very grateful in your assistance in settling the outstanding.

If you need any copy invoices please do not hesitate to contact us

Regards,

Johnny Higgins

--------------------------

From:    Rowena Mcconnell [RowenaMcconnellev@telemar.it]
To:    tedwards@victimdomain
Date:    13 May 2015 at 11:38
Subject:    Financial information

Good Afternoon,

Please see attached the copy of the remittance.

Please can you send a revised statement so we can settle any outstanding balances.

Kind Regards,

Rowena Mcconnell

--------------------------

From:    Jimmie Cooley [JimmieCooleyzils@fsband.net]
To:    server@victimdomain
Date:    13 May 2015 at 11:34
Subject:    Important information

Good morning

Please find attached a remittance advice, relating to a payment made to you.

Many thanks

Regards,

Jimmie Cooley
Seniour Finance Assistant

Each attachment is slightly different, but does contain the name of the recipient plus a random number (e.g. it-dept_0E78A3A5700B.doc). The payload is meant to be a multi-part MIME file, but many are corrupt and are either Base 64 encoded or are "404 Not Found" files.

If the file is correctly format, it should behave similarly to this Hybrid Analysis report, which says that it connects to several different IPs, but crucially also it downloads a malicious executable from 91.226.93[.]110/bt/get1.php (Sobis, Russia) and saves it as crypted.120.exe.

This malicious executable has a detection rate of 2/56 and the Malwr report says that it communicates with 46.36.217.227 (FastVPS, Estonia) and drops a Dridex DLL with a detection rate of 22/56.

Recommended blocklist:
46.36.217.227
91.226.93.110

MD5s:
9afecfaa484c66f2dd11f2d7e9dc4816
d2f825ecfb3d979950b9de92cbe29286



Tuesday, 12 May 2015

Malware spam: "ATTN: Outstanding Invoices - [4697E0] [April|May]"

This spam comes with random senders and reference numbers, but in all cases includes a malicious attachment:

From:    Debbie Barrett
Date:    12 May 2015 at 11:14
Subject:    ATTN: Outstanding Invoices - [4697E0] [April|May]

Dear anthony,

Kindly find attached our reminder and copy of the relevant invoices.
Looking forward to receive your prompt payment and thank you in advance.

Kind regards
The attachment name combines the recipient's email address with the fake reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools manages to analyse it though, showing several steps in the infection chain.

First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu

Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.

This component then connects to 46.36.217.227 (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56.

There are several different attachments, so far I have seen the following MD5s:
110B42E097A7677A993CF1B3B24743D8
20AEB9ECEBC26B3CDE960728E890F904
33A8CBE7B75B20B5EA1069E3E2A13D80
3973E29F7BDC7903FFCB596B10F9FD54
7019D711AE0E2FEDEE25EAA3341CFB7F
949816F4DF724E690690B3C8AD3871D4
9CDEFFBAC7B79302D309404E6F3068C4
B5C2393D44D8E0C94D04E2D159AE8776
B84D52F59AEC53B8D7FA109D256FCB6B
CA5E8A531A8EE24B15FC7B2A66502042
E99216D829C632DF24ECAD9162AF654C
EC1AD4316DBA799EF2E2440E715CD5F5
F4B5B0AE85F27E0A475BD359F5BE76E8
F666682D638FE67607DD189705844AD5

The MD5s for the malware components are:
DD7ADC5B140835DC22F6C95694F9C015
9AFECFAA484C66F2DD11F2D7E9DC4816
838F0A8D3FCBD0DDB2F8E8D236D17957

Recommended blocklist:
92.63.88.0/24
46.36.217.227


Malware spam: "Copy of your 123-reg invoice ( 123-015309323 )" / "no-reply@123-reg.co.uk"

This fake invoice is not from 123-reg, but is instead a simple forgery with a malicious attachment:

From:    no-reply@123-reg.co.uk
Date:    12 May 2015 at 10:17
Subject:    Copy of your 123-reg invoice ( 123-015309323 )

Hi,

Thank you for your order.

Please find attached to this email a receipt for this payment.

Help and support

If you are still stuck why not contact our support team? Simply visit our 123-reg Support Centre and click on the Ask a Question tab.

Thank you for choosing 123-reg.

The 123-reg team.

https://www.123-reg.co.uk
About us | Privacy policy
© Copyright 123-reg - Part of Webfusion Ltd

Webfusion Ltd is a company registered in England and Wales with company number 05306504. Our VAT number is 927 1292 22. The address of our registered office is: 5 Roundwood Avenue, Stockley Park, Uxbridge, Middlesex, UB11 1FF.
Attached is a Word document 123-reg-invoice.doc which contains a malicious macro [pastebin] and has a detection rate of 5/57. There may be several different versions of this macro, but the sample I saw downloaded a file from:

http://fosteringmemories.com/432/77.exe

..which is saved as %TEMP%\ihmail4.1.0.exe and has a VirusTotal detection rate of 5/56. Automated analysis tools [1] [2] [3] show it phoning home to the following IPs:

37.143.15.116 (Internet-Hosting Ltd, Russia)
62.152.36.90 (Host Telecom Net, Russia)
89.28.83.228 (StarNet SRL, Moldova)
185.15.185.201 (Colobridge gmbh, Germany)


According to this Malwr report it also drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
37.143.15.116
62.152.36.90
89.28.83.228
185.15.185.201

MD5s:
3fcc933847779784ece1c1f8ca0cb8e4
3540c517132a8a4cd543086270363447
0bb376ba96868461ffa04dd70dc41342


Monday, 11 May 2015

Malware spam: "Payment details and copy of purchase [TU9012PM-UKY]"

I haven't really had time to analyse this, so I am using the analysis of an anonymous source (thank you)..

From:    Kristina Preston [Kerry.df@qslp.com]
Date:    11 May 2015 at 12:56
Subject:    Payment details and copy of purchase [TU9012PM-UKY]

Dear [redacted]

On 08/05/15 you have requested full payment details and copy of purchase. Please refer to document in the attachment.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Kristina Preston
Brewin Dolphin
The names and references change between different versions, but in all cases there is a malicious DOC file attached. This DOC has an unusual structure in that it is a some sort of MIME file containing a mixture of HTML and Base64-encoded segments.

My source has analysed that this downloads a VBS file from Pastebin at pastebin[.]com/download.php?i=FsYQqTaj which then downloads some sort of .NET binary from 91.226.93[.]14:8080/stat/get.php (Sobis, Russia)

This binary has a detection rate of 2/56 and according to automated analysis tools [1] [2] it communicates with:

46.36.217.227 (FastVPS, Estonia)

It also drops a DLL with an MD5 of f0d261147d2696253ab893af3d125f53 and a detection rate of 1/56.

Recommended blocklist:
46.36.217.227
91.226.93.14

Wednesday, 6 May 2015

Malware spam: "Email from Transport for London" / "noresponse@cclondon.com"

This spam does not come from Transport for London, but is instead a simple forgery with a malicious attachment.

From:    noresponse@cclondon.com
Date:    6 May 2015 at 12:44
Subject:    Email from Transport for London


Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in DOC format you may need Microsoft Word to
read or download this attachment.


Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is prohibited. If you have received this email in error please notify the sender immediately by email and then permanently delete the email.
______________________________________________________________________

So far I have seen four different versions of the malicious Word document AP0210780545.doc, all with low detection rates [1] [2] [3] [4] containing various macros [1] [2] [3] [4]. These attempt to download an executable from one of the following locations:

http://jkw-sc.com/111/46.exe
http://aimclickbang.com/111/46.exe
http://www.haunersdorf.de/111/46.exe
http://volpefurniture.com/111/46.exe


This file is saved as %TEMP%\wiley5.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show attempted network traffic to:


62.152.36.90 (Filanco Ltd, Russia)
89.28.83.228 (StarNet, Moldova)
185.12.95.191 (RuWeb CJSC, Russia)
185.15.185.201 (Colobridge, Germany)


This Malwr report shows that it drops a Dridex DLL with a detection rate of 4/56.

Recommended blocklist:
62.152.36.90
89.28.83.228
185.12.95.191
185.15.185.201


MD5s:
412ce577521a560459cd711f5966caf4
997bafa825426a3456625983878cb5df
bab231ddf87a24dd81638483f209d238
a49a337f1189dd139499a102b635c918
079f0c588769f6961d888614cf140812
03f9a963fefffc4b97b880a8c4ad208b

Thursday, 30 April 2015

Nepal Earthquake scam: savenepal.org

I was tipped off to this site by a contact, but it appears that there are some particularly dispicable scammers who have registered a fake website called savenepal.org which is soliciting donations via PayPal.

The site largely cloned from the legitimate ActionAid site which is genuinely seeking donations to go to Nepal.

ActionAid is "Registered charity no 274467" (it says so on the bottom of the page). SaveNepal.org claims to be "Registered charity no 276187", but we can check at the UK charities commission and we can see that the charity with this number is actually an orchestra.


Clicking "Donate" on the scam site leads to PayPal. It doesn't give much of a clue about the ownership of the fake site:


The WHOIS details for the domain are hidden using WhoIsGuard. These other sites appear to be live on the same server:

com-indexhtml.link
com-indexhtml.us
grantsekit.com

Out of these, only com-indexhtml.us has a non-anonymous WHOIS entry:

Registrant ID:                               C4E83B25FA8AD52D
Registrant Name:                             Frank J. Moore
Registrant Address1:                         2441 Byers Lane
Registrant City:                             Davis
Registrant State/Province:                   CA
Registrant Postal Code:                      95616
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.5307574940
Registrant Email:                            uscustomerhelp@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12


I'm pretty sure that those contact details are fake. Going back through historical WHOIS comes up with different contact details:

Registrant ID:                               29B0B5BBD7190398
Registrant Name:                             dinna  james
Registrant Address1:                         po box 876
Registrant City:                             dl
Registrant State/Province:                   dl
Registrant Postal Code:                      110098
Registrant Country:                          India
Registrant Country Code:                     IN
Registrant Phone Number:                     +1.918978978
Registrant Email:                            helpot80@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12


Of course, these contact details could also be false and there's no definite connection to savenepal.org yet. But out of curiosity, who is helpot80@gmail.com?  Googling doesn't reveal much, but it does show a copy of a conversation in the news.admin.net-abuse.email where someone who is claiming to use this email address is complaining about spam. If we then use Google Groups to find the original newsgroup post we see it was posted from an IP of 182.68.85.242 which is a dynamic Bharti Airtel IP in India, which does at least match the country in the WHOIS details.

Another Google result is this Phishtank entry listing social2013.com/rockgrade/ which appears to be a copy of the Rock Grade Management scam site I covered way back in 2011, indicating that perhaps these two scams are related. helpot80@gmail.com was listed as the owner of social2013.com before it expired in February 2015.

This WHOISology report links the address to several domains:

beauty6k.com
social2013.com
droughty.com
auto36.us
secure2013.us

Also, 94.242.255.129 has hosted many other domains, many of which appear to be scammy.

com-13.pw
com-21.us
com-indexhtml.us
news7d.com
mynews360.com
grantsekit.com
social2013.com
secured2014.com
usgrantskit.com
savenepal.org
com-indexhtml.link
huffingtonpost.com-indexhtml.link
dear.graphics

Many of these have the helpot80@gmail.com address listed in their historical WHOIS entries.

What else can we find out?

The email address is connected with this scammy looking Facebook page allegedly giving away "free laptops"



The email address also links to this Google+ profile naming them as "N. Al.". It also links to this YouTube channel with a single video about Payoneer. These Profiles indicate that helpot80@gmail.com has an interest in affiliate marketing, an activity with a mixed reputation.

I cannot prove that helpot80@gmail.com is connected with the savenepal.org, but they probably know whoever is behind it.

Remember, if you want to donate to ANY disaster charity, it is worth checking very carefully that you are dealing with the real thing and not a bunch of scammers.

Malware spam: "Rebecca McDonnell [rebecca@gascylindersuk.co.uk]" / "Telephone order form"

This fake financial email is not from Gas Cylinders UK but is instead a simple forgery with a malicious attachment.

From:    Rebecca McDonnell [rebecca@gascylindersuk.co.uk]
Date:    30 April 2015 at 09:54
Subject:    Telephone order form

Telephone order form attached
Regards,

Rebecca McDonnell
Business Administrator

340a Haydock Lane, Haydock Industrial Estate,
St Helens, Merseyside, WA11 9UY
DDI:  01744 304338
Fax: 01942 275 312
Email: rebecca@gascylindersuk.co.uk


***** D i s c l a i m e r *****

This e-mail message is confidential and may contain legally privileged information. If you are not the intended recipient you should not read, copy, distribute, disclose or otherwise use the information in this e-mail.  Please also telephone us on 0800 622 6330, immediately and delete the message from your system. E-mail may be susceptible to data corruption, interception and unauthorised amendment, and we do not accept liability for such corruption, interception or amendment or the consequences thereof.
There is a malicious Word document attached with the name TELEPHONE PURCHASE ORDER FORM.doc which probably comes in a few different variants, but the one I saw had a VirusTotal detection rate of 4/56 and contained this malicious macro [pastebin] which downloaded a component from the following location:

http://morristonrfcmalechoir.org/143/368.exe

This is saved as %TEMP%\serebok2.exe and has detection rate of 8/56. Analysis tools are a bit patchy today, but the VirusTotal report indicates traffic to:

212.227.89.182 (1&1, Germany)

The Malwr report reported a dropped Dridex DLL with a detection rate of 3/55.


Wednesday, 29 April 2015

cnwebregistry.cn / chinaygregistry.com scam and "Huayu Ltd"

This spam email is actually part of a long-running Chinese scam.

From:    Jim Bing [jim.bing@cnwebregistry.cn]
Date:    29 April 2015 at 14:27
Subject:    Re:"[redacted]"

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.
We received an application from Huayu Ltd on April 27, 2015. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cnwebregistry.cn
Whoever "Huayu Ltd" are is irrelevant, as they aren't actually interested in registering these domains, even if they exist. Instead, this is an attempt by a rogue Chinese domain registrar to get you to buy overpriced and worthless domains.

In this case the spam mentions the domain cnwebregistry.cn, but chinaygregistry.com is also on the same server and will be similarly fraudulent.

This video I made a while ago explains the scam in more detail:



Tuesday, 28 April 2015

Malware spam: "INVOICE PD Will Comm" / "richard will [contactwill@hotmail.com]"

This malicious spam does not come from Will Communications but is instead a simple forgery with a malicious attachment.

From:    richard will [contactwill@hotmail.com]
Date:    28 April 2015 at 09:05
Subject:    INVOICE PD Will Comm

Thank-you for your payment!

Richard Will

Will Communications, Inc.
richard@willcommunications.com

The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56 and it contains this malicious macro [pastebin]. In this case, the macro downloads a component from:

http://massachusettsselfstorage.com/62/927.exe

..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53. There may well be other documents that download from other locations, but the binary will be the same in all cases.

Automated analysis tools [1] [2] [3] show that it attempts to communicate with the following IP:

185.12.95.191 (RuWeb CJSC, Russia)

According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56.

MD5s:
67a5facf854a72382a8d8e308027baa3
f998950151c5922cd2c338290e78a420
59f03febb357e343f33937b9925b8846

Monday, 27 April 2015

Malware spam: "[1138593] Booking.com Invoice 01/03/2015 - 31/03/2015" / "invoice@booking.com"

This fake invoice email does not come from Booking.com but is a simple forgery with a malicious attachment.
From:    invoice@booking.com
Date:    27 April 2015 at 08:55
Subject:    [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015

Dear customer,

Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.

If you have any questions, please contact our Credit Control Department at telephone number
+44 (0)208 612 8210 (e-mail:  ).

Thank you for working with Booking.com.
The only sample I have seen of this is badly mangled and required some work to extract and decode the attachment invoice-1501383360.doc which has a VirusTotal detection rate of 3/57. This contains a malicious macro [pastebin] which downloads a component from the following location:

http://voipconcerns.com/62/927.exe

There are probably other slightly different versions of the Word document that download from different locations, however the binary will be the same. This malicious executable is saved as %TEMP%\zigma2.5.exe and has a VirusTotal detection rate of 2/57.

Automated analysis tools [1] [2] [3] show an attempted network connection to:

185.12.95.191 (RuWeb CJSC, Russia)

According to the Malwr report it also drops a malicious Dridex DLL with a detection rate of 4/57.

MD5s:
6aa26f04b22b284dda148ce317f53de8
a92cdc17c74b1a008d3c239006fdf042
1c90c45e0bdfb91a8a73c1f6d1e738fe

Friday, 24 April 2015

Malware spam: "Pidwell, Nigel [nigel.pidwell@ssecontracting.com]" / "Western Order"

The spam email is not from SSE Contracting, but is instead a simple forgery with a malicious attachment:
From:    Pidwell, Nigel [nigel.pidwell@ssecontracting.com]
Date:    24 April 2015 at 08:47
Subject:    Western Order

Regards

Nigel Pidwell
Administrator
SSE Contracting Limited
T: +44 (0) 1637 889506
E: nigel.pidwell@ssecontracting.com
Unit 8, Hurling Way,
St Columb Major Business Park, St Columb Major, Cornwall
TR9 6SX
www.sseenterprise.co.uk



So far I have only seen one sample Western Order.doc [VT 4/57] which contains a malicious macro [pastebin] which is functionally identical to the one used in this spam run which was also happening this morning.

Malware spam: "Colin Fox [colin@nofss.co.uk]" / "Invoice 519658"

This spam is not from Norwich Office Supplies but is instead a simple forgery. They have not been hacked (even if their website says they have).
From:    Colin Fox [colin@nofss.co.uk]
Date:    24 April 2015 at 09:40
Subject:    Invoice 519658

Please find Invoice 519658     attached 
The attachment is Sales Invoice 519658.pdf [VT 2/57] This spam drops the Dridex banking trojan, but unlike other recent runs the attachment is a PDF file rather than an Office document. In fact, the PDF file contains a script that generates and drops a Word document named 6.doc [Malwr report, Payload Security report] [VT 4/55] which in turn contains a malicious macro that looks like this [pastebin].

There may be different versions of the macro, but in this case it downloads a component from:

http://bepminhchi.com/83/61.exe

..which is saved as %TEMP%\pierre6.exe. This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] show an attempted network connection to:

185.12.95.191 (RuWeb CJSC, Russia)
149.154.64.70 (TheFirst-RU, Russia)
78.24.218.186 (TheFirst-RU, Russia)
89.28.83.228 (StarNet SRL, Moldova)


In addition, the Malwr report says that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
185.12.95.191
149.154.64.70
78.24.218.186
89.28.83.228

Sample MD5s:
da26ed1b6fe69d15a400b3bc70001918
b37ea697df790121e4dda35d8ba172c3
0ea69ef635257be03043a3f70f013475
29471c1aabae10d205f474a3299486ec


Thursday, 23 April 2015

Malware spam: "Refund on order 204-2374256-3787503" / "Amazon.co.uk [payments-messages@amazon.co.uk]"

This fake Amazon spam comes with a malicious attachment:

From:    Amazon.co.uk [payments-messages@amazon.co.uk]
Reply-To:    "Amazon.co.uk" [payments-messages@amazon.co.uk]
Date:    23 April 2015 at 09:58
Subject:    Refund on order 204-2374256-3787503

Dear Customer,

Greetings from Amazon.co.uk.

We are writing to confirm that we are processing your refund in the amount of £4.89 for your
Order 204-2374256-3787503.

This amount has been credited to your payment method and will appear when your bank has processed it.

This refund is for the following item(s):

Item: Beautiful Bitch
Quantity: 1
ASIN: 1476754144
Reason for refund: Customer return

The following is the breakdown of your refund for this item:

Item Refund: £4.89

Your refund is being credited as follows:

GC: £4.89

These amounts will be returned to your payment methods within 5 business days.

The amount credited to your Gift Card balance should be automatically applied to your next eligible
order on our website.

Have an issue with your refund, or a question about our refund policy?
Visit our Help section for more information:

http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=1161010

Please note: The credit note for this transaction is attached to this e-mail and to open, you will
need Adobe Reader. If you do not have an Adobe Reader, please visit the following link to download
it: http://get.adobe.com/reader/

This credit note is the detailed breakdown of the refund showing the item(s), delivery costs and
associated VAT for each item. This credit note is largely applicable to business customers who
should retain it for accounting purposes. It’s not possible to redeem or use the credit
note number from this credit note towards an order. Visit our Help pages for more information on
refunds.

Thank you for shopping at Amazon.co.uk.

Sincerely,

Amazon.co.uk Customer Service
http://www.amazon.co.uk


Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail.
Please do not reply to this message.

An advanced electronic signature has been attached to this electronic credit note. To add the certificate
as a trusted certificate, please follow these instructions:
1. Click on the 'Signature Panel' in the upper right corner
2. Expand the drop-down in the newly opened Signatures menu, expand the 'Signature Details' drop-down and
   click 'Certificate Details'
3. In the Certificate Viewer box click on the 'Trust' tab, click 'Add To Trusted Certificates' and then
   click OK
4. In the Import Contact Settings box, ensure that 'Use this certificate as a trusted root' is selected,
   click OK, and then click OK again


Attached is a file 204-2374256-3787503-credit-note.doc which probably comes in several versions, however the one I analysed had a detection rate of 4/57 and contained this malicious macro [pastebin] which downloads a component from:

http://qube.co.il/42/335.exe

..which is saved as %TEMP%\pierre3.exe and which currently has a detection rate of 3/42 (42?). Automated analysis tools [1] [2] [3] [4] indicate that it calls out to the following IPs:

185.12.95.191 (RuWeb CJSC, Russia)
87.236.215.151 (OneGbits, Lithuania)
94.23.171.198 (OVH, Czech Republic)
185.35.77.250 (Corgi Tech, UK)
149.154.64.70 (TheFirst-RU, Russia)

The Malwr report says that it drops a Dridex DLL which currently has a detection rate of 17/56.

Recommended blocklist:
185.12.95.191
87.236.215.151
94.23.171.198
185.35.77.250
149.154.64.70

MD5s:
e52a8d15ee08d7f8b4efca1b16daaefb
57b54e248588af284871c2076f05651c
ca5c5b79ce16d888ba2a6747b9d033d3


Wednesday, 22 April 2015

Malware spam: "New document with ID:G27427P from RESTAURANT GROUP PLC was generated"

Made in Russia
I have only seen one sample of this spam so far, it is likely that other variants use different company names:

From:    Tamika Cortez
Date:    22 April 2015 at 14:33
Subject:    New document with ID:G27427P from RESTAURANT GROUP PLC was generated

New report with ID:G27427P was generated by our system. Please follow the link below to get your report.

Download report ID:G27427P

Best regards ,Tamika Cortez
RESTAURANT GROUP PLC

In this case, the link in the email goes to:

http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij?arg1=victim@victimdomain.com&arg2=G27427P.vbs&arg3=RESTAURANT%20GROUP%20PLC

..which includes the victim's email address in the URL. In turn, this redirects to:

http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij/files/G27427P.vbs  

As the name suggests, this is a VBScript (VT 1/56), in this case it is lightly obfuscated [pastebin] and it initiates a download from:

http://185.91.175.183/sas/evzxce.exe

..which is saved as %TEMP%\jhvwrvcf.exe. The download location is 176.31.28.226 (OVH, France). This file has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] show network connections to the following IPs:

144.76.73.3 (Hetzner, Germany)
5.44.216.44 (Camelhost SIA, Latvia)
62.210.214.249 (Iliad Entreprises / Poney Telecom, France)
89.184.66.18 (Invest Ltd, Ukraine)


According to this Malwr report, it drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
176.31.28.226
144.76.73.3
5.44.216.44
62.210.214.249
89.184.66.18


MD5s:
1fc2abec9c754e8cc1726bf40e0b3533
af8ff1ea180d5c45b4bb8c8f17c6cddc
57b54e248588af284871c2076f05651c



Tuesday, 21 April 2015

Malware spam: "Australian Taxation Office - Refund Notification" / "Australian Taxation Office [noreply@ato.gov.au]"

G'day mate. Despite not being an Aussie and never having paid a single Australian cent in tax, apparently I'm due a tax refund from the Australian Tax Office. Bonzer!

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    21 April 2015 at 21:36
Subject:    Australian Taxation Office - Refund Notification

IMPORTANT NOTIFICATION

Australian Taxation Office - 22/04/2015

After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 218.21 AUD.

To view/download your tax notification please click here or follow the link below :
https://www.ato.gov.au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=report2104_4343697

Brett Newman, Tax Refund Department Australian Taxation Office 

Despite the "gov.au" site that apparently displays in the link, it actually leads to a download from i.nfil.es and it leads to a ZIP file called report2104.zip which in turn contains the malicious executable report2104.exe.

Currently this malware has a reasonable detection rate of 23/57. Out of various automated analysis tools, only the Payload Security Hybrid Analysis engine gave a decent result indicating that a connection was made to a legitimate but hacked site relianceproducts.com and then several versions of the same .EXE were downloaded, which this VirusTotal report indicates is the Dyre banking trojan. That same VirusTotal post also lists a number of C&C servers that you might want to block:

213.239.214.42
81.162.123.76
77.87.99.67
62.122.69.150
91.238.74.70
62.122.69.172
91.194.239.126
94.231.178.46
194.28.190.167
80.234.34.137
213.111.243.60
46.149.253.52
37.57.101.221
134.249.63.46
85.192.165.229
46.151.48.149
195.34.206.204
62.122.69.159
188.123.34.203
178.18.172.215
91.232.157.139
46.151.49.128
195.206.255.131
37.232.185.114
176.120.201.9
62.182.33.16
46.180.147.50
46.175.23.130
46.151.48.184
84.16.55.12
84.16.54.22
84.16.55.122
93.184.71.88
83.168.164.18
212.89.237.65
176.109.58.78
212.37.81.96
95.165.196.227
195.34.239.93
77.234.235.48
109.236.121.136
217.12.59.238
181.189.152.131
194.28.190.183
95.67.88.84
176.56.24.229
178.136.123.22

Malware spam: "LAG invoice I413136" / "Lichelle Ebner [mailto:Lichelle5938@lagrinding.co.uk]"

This spam email does not come from LA Grinding but is instead a simple forgery with a malicious attachment.
From: Lichelle Ebner [mailto:Lichelle5938@lagrinding.co.uk]
Sent: Tuesday, April 21, 2015 9:55 AM
Subject: LAG invoice I413136

Dear Accounts Payable,

Attached is a copy of invoice  I413136 .The items were shipped.  Please feel free to contact me if you have any questions or cannot read the attachment.
                 
Thank you for your business.

Sincerely,

Lichelle Ebner
L. A. Grinding Company
Ph. (818) 846-9134
FAX (818)846-1786
So far I have seen just a single sample with an attachment I413136.doc which has a VirusTotal detection rate of 2/57 and which contains this malicious macro [pastebin], in turn this downloads a component from:

http://eternitymobiles.com/25/144.exe

..although there are probably different versions of the macro with different download locations, the binary itself should be the same in all cases. This is saved as %TEMP%\pierre6.exe and it has a detection rate of 5/56.

Automated analysis tools [1] [2] [3] show that it attempts to communicate with a familiar IP:

89.28.83.228 (StarNet SLR, Moldova)

According to this Malwr report it also drops a malicious Dridex DLL with a detection rate of 3/56.

Recommended blocklist:
89.28.83.228

MD5s:
02492b954b48f13412a844d689d064f1
7f7f476e83a253794b36cb7a16c04902
155643eb342c5b65a6f5a1391fe2396b




Monday, 20 April 2015

Malware spam: "Hector Malvido [handyman1181@hotmail.com]" / "Pending payment"

This spam comes with a malicious attachment:

From:    Hector Malvido [handyman1181@hotmail.com]
Date:    20 April 2015 at 10:51
Subject:    Pending payment

This invoice shows in my records that has not being pay can you review your records please
Attached is a file filename-1.doc (3/57 detection by AV vendors) which may come in many different versions, but the samples I have all have this malicious macro [pastebin] which downloads another component from the following location:

http://kafilahgroup.com/55/55.exe

This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] [4] show it phoning home to:

89.28.83.228 (StarNet SLR, Moldova)

The Malwr report shows that it drops a Dridex DLL with a 3/57 detection rate.

Recommended blocklist:
89.28.83.228

MD5s:
673626be5ea81360f526a378355e3431
7ca6884ad8900797c7f0efaaabe0c0da
8c0661aefa9aa25d8fddf2a95297e04e

Friday, 17 April 2015

Malware spam: "Julie Mckenzie [julie0526@swift-cut.co.uk]" / "Credit Card Statement"

This spam does not come from Swift Cut, but is instead a simple forgery with a malicious attachment:

From:    Julie Mckenzie [julie0526@swift-cut.co.uk]
Date:    17 April 2015 at 12:24
Subject:    Credit Card Statement

Hi
Attached your credit card statement.
Can you return with receipts by Friday 17th April.
Thanks
Julie
 
Julie McKenzie
Sales Administrator
Tel +44 (0)1543 473300
E-mail julie@swift-cut.co.uk
Attached is a file C Swift Credit Card.doc which comes in at least four different versions, all of which are malicious and all of which have a macro similar to this one [pastebin].

These macros download a file from one of the following locations:

http://oolagives.com/24/733.exe
http://derekthedp.com/24/733.exe
http://sempersleep.com/24/733.exe

This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54 (identified clearly as a Dridex component). Automated analysis [1] [2] [3] [4] shows that it attempts to communicate with:

46.36.219.32 (FastVPS, Estonia)


I recommend that you block traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53.

MD5s:
6c784bec892ce3ef849b1f34667dccac
ec35660657404295a78d8d1bcb1f1071
89b87b7c5c38039a4a46060f00a1ec37
40862ce3abb02d69ec31b8a1b62fef95
59fe482009fecc8761809a9c974a143e
f840f9075a178ab579ed2e4c622bc291


Scam: "Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK)," / "Royal Queens Hotel"

This spam email forms part of a Conference Scam:


From:    United Nations Summit [no_replytoold@live.com]
Reply-To:    unitednation.unt@gmail.com
Date:    16 April 2015 at 17:59
Subject:    Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK),

Dear Invitee, Nonprofit/NGO Colleague,

UN General Assembly invites companies and organizations to participate in this important meeting. UN convening a Four-day Global Summit of Economists, Educationists, Administrators, Manufacturers, International Finance, Corporate Finance, Researchers, Non-Governmental Organizations, Religious Leaders, Community Organizations,lawyer and law firm,individuals from the public and Private Sector from 5th-9th May, 2015 in London (UK) to assess the worst global economic down turn since the Great Depression. The aim is to identify emergency and long-term responses to mitigate the impact of the crisis, especially on vulnerable populations, and initiate a needed dialogue on the transformation of the international financial architecture, taking into account the needs and concerns of all countries of the world. You are invited to take part in the International Conference.

Registration to this Summit is absolutely "free" and strictly for invited individuals and organizations only. As an invitee, you have received a registration code UN/CODE/66987/2015-UK with the invitation letter, which grants you access to the registration form.

The United Nations General Assembly will sponsor free travel costs and all-round flight tickets for all participant. Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel.

Venue: Queen Elizabeth II Conference Centre (QEIICC)
Date:5th-9th May, 2015.
Conference Theme:Impact and implications of the global financial and economic crisis on sustainable development & climate change proposals for an integrated global response to the crisis.

For further details about registration form,visa,flight ticket and other details, write an acceptance letter to be part of this event and send it directly via our Official e-mail together with your cellphone number for confirmation.

Send us e-mail:
unitednations_summit@secretary.net
unitednations.summit@aol.fr
or Call Dr. Pitt Thomas for more information +44703-597-1620.

We look forward to meeting you at the forthcoming Global Financial and Economic Crisis conference.

Register Now!!!!

Mrs.Kathleen Fitzpatrick
(Organizing Secretary)
Communication and Public Affairs.

United Nations-Nations Unites
Division for Social Policy and Economic Development Department of Economic
and Social Affairs Room UK2-1324, 2 United Nations Plaza, England, United
Kingdom.
What's the scam? Notice that "Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel." These is no hotel in London with the name "Royal Queens Hotel", but the scammers will magic one up for you to take pre-payment for your hotel.. and will then vanish with your money.


There are some similarly-named hotels in London, for example the Hotel Royal @ Queens, but this is not the same hotel. Be warned though that sometimes scammers do go to the effort of setting up a fake hotel website to make the scam more credible.

Avoid.

Thursday, 16 April 2015

Malware spam: "Decisive notification about your Automated Clearing House payment"

This fake ACH spam leads to malware:

From:    aileen.alberts@[redacted]
Date:    16 April 2015 at 15:55
Subject:    Decisive notification about your Automated Clearing House payment


The Automated Clearing House transaction transfer, recently initiated from your company"s online bank account, has been rejected by the EPA.

Rejected ACH payment
Automated Clearing House transfer Case # L669461617
Transaction Total 27504.02 US Dollars
Email [redacted]
Reason of Termination Download full details

Please visit the link provided at the top to see more information about this problem.
The link in the email goes to a download location at dropbox.com which downloads a malicious Word document Automated_Clearing_House transaction9090.doc which contains this macro [pastebin].

I haven't had the time to analyse it fully, but it is rather different from other offerings. From what I can tell, it downloads an encrypted file [pastebin] from:

sundsvallsrk.nu/tmp/1623782.txt or
hpg.se/tmp/1623782.txt

And some sort of executable from Dropbox with a detection rate of 3/57. Automated analysis tools are inconclusive at the moment [1] [2] although the Payload Security report does show several dropped files including two malicious scripts [pastebin].

Of note is that one of the scripts downloads what looks like a PNG from:

savepic.su/5540444.png

For now, I would recommend blocking traffic to
sundsvallsrk.nu
hpg.se
savepic.su

For researchers only, I have an archive of some of the files here, password is infected.