Sponsored by..

Thursday, 18 June 2015

Malware spam: "NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693" / "sac.contact4e74974737@bol.com.br"

These Portuguese-language spam pretends to be some sort of banking invoice aim, but instead leads to malware hosted on Google Drive. The target appears to be users in Brazil.

From:    sac.contact4e74974737@bol.com.br
To:    mariomarinho@uol.com.br
Date:    18 June 2015 at 08:46
Subject:    NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693
Signed by:    bol.com.br

Olá.
Estamos encaminhando o LINK para download da nota fiscal eletrônica.
https://cfb53a79c1679ed75e40a391fa21b9b359784781.googledrive.com/host/[redacted]

Caso tenha alguns dos dados errados favor nos retorne no email nfe@jmcomercio.com.br.

 ATT, DANI AIRES DP.FINANCEIRO

18/06/15 :
04:46:18.161 :
''8636055042''WTg9R9cng3hYUD''RYkSkcFpJs''
Por favor, não "responda" esta mensagem.

The reference numbers and sender change slightly in each version.

I've seen three samples before, each one with a different download location [a list is here] which leads to a ZIP file named NFe_0185189710250029301785.zip which in turn contains a malicious executable NFe_0185189710250029301785.exe which has a VirusTotal detection rate of 8/57. Comments in that report indicate that this may be the Spy.Banker trojan.

The Malwr report indicates that it downloads components from the following locations:

http://donwup2015.com.br/arq/point.php
http://tynly2015.com.br/upt/ext.zlib

The Hybrid Analysis report  also has some other details.

These sites are hosted on:

108.167.188.249 (WebsiteWelcome, US)
187.17.111.104 (Universo Online, Brazil)

The VirusTotal report for both these IPs [1] [2] indicates a high level of badness, indicating that they should be blocked.

Furthermore, Malwr shows that it drops a file with a detection rate of 2/57. As yet, I have only tested this on Malwr and it fails to run.

Recommended blocklist:
108.167.188.249
187.17.111.104

MD5s:
71070bc5e6b5c03c2e1d1ef4563c7b94
b969376c85d4e7f1a94ca3a2e416792e

Monday, 15 June 2015

Malware spam: "[Nyfast] Payment accepted" / "Nyfast [mailto:sales@nyfast.com]"

This spam does not come from Nyfast but is instead a simple forgery with a malicious attachment.

From: Nyfast [mailto:sales@nyfast.com]
Sent: Monday, June 15, 2015 11:47 AM
Subject: [Nyfast] Payment accepted


Hi ,
Thank you for shopping with Nyfast!


Order ZUJIEQGQV - Payment processed
Your payment for order with the reference ZUJIEQGQV was successfully processed.


You can review your order and download your invoice from the "Order history" section of your customer account by clicking "My account" on our shop.
If you have a guest account, you can follow your order via the "Guest Tracking" section on our shop.

Nyfast powered by PrestaShop™
Attached is a Word document with a malicious macro, named 29172230_15.06.15.doc. The payload is the same as the one found in this earlier spam run.

Malware spam: "New Doc" / "Will Kinghan [WKinghan@hhf.uk.com]"

This spam does not come from Henry Howard Finance, but is instead a simple forgery with a malicious attachment.

From:    Will Kinghan [WKinghan@hhf.uk.com]
Date:    15 June 2015 at 12:09
Subject:    New Doc

Hello,

My apologies again.

Document attached

Will

With kind regards,

Will Kinghan
Account Manager
T: 01633 415235 |M: 07468723790| E: wkinghan@hhf.uk.com

www.henryhowardfinance.co.uk

Head Office

T
: 01633 415222  | F: 01633 415223
Unit 5
| Langstone Business Village | Langstone Park | Langstone | Newport | Gwent | NP18 2LH   
line2.png
 
The information in or attached to this email is confidential and may be legally privileged. If you are not the intended recipient of this message any use, disclosure, copying, distribution or any action taken in reliance on it is prohibited and may be unlawful. If you have received this message in error, please notify the sender immediately by return email or by telephone on 01633 415222 and delete this message and any copies from your computer and network. Henry Howard Finance plc. do not warrant this email and any attachments are free from viruses and accepts no liability for any loss resulting from infected email transmissions.  Henry Howard Finance plc. reserve the right to monitor all e-mail communications through its networks. Please note that any views expressed in this email may be those of the originator and do not necessarily reflect those of Henry Howard Finance plc. registered in Wales, Company no. 40151132 has registered offices at Unit 5 Langstone Business Village, Langstone Park, Newport, NP18 2LH, VAT no. 753461724. Henry Howard Finance Plc is Authorised by the Financial Conduct Authority (FCA)
Attached is a Word document New doc.doc which contains a malicious macro. It is the same payload as seen in this other spam run earlier today.

Malware spam: "Payment Confirmation 29172230" / "reed.co.uk Credit Control [mailto:creditcontrol.rol@reed.co.uk]"

This fake financial spam does not come from Reed, but is instead a simple forgery with a malicious attachment:

From: reed.co.uk Credit Control [mailto:creditcontrol.rol@reed.co.uk]
Sent: Monday, June 15, 2015 11:10 AM
Subject: Payment Confirmation 29172230

Dear Sirs,

Many thanks for your card payment. Please find payment confirmation attached below.

Should you have any queries, please do not hesitate to contact Credit Control Team on 0845 241 9293.

Kind Regards

Credit Control Team
T: 020 7067 4584
F: 020 7067 4628
Email: creditcontrol.rol@reed.co.uk
The only sample I have seen so far has an attachment 29172230_15.06.15.doc [detection rate 3/57] which contains this malicious macro [pastebin] which downloads a component from the following location:

http://www.freewebstuff.be/34/44.exe

This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools [1] [2] [3] show traffoc to the following IPs:

136.243.14.142 (Hetzner, Germany)
71.14.1.139 (Charter Communications, US)
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)


According the this Malwr report, it also drops a Dridex DLL with a detection rate of 18/57.

Recommended blocklist:
136.243.14.142
71.14.1.139
173.230.130.172
94.23.53.23
176.99.6.10

MD5s:
4270bcfa447d96ccb41e486c74dd3d16
724683fa48c498a793d70161d46c811c
ff0f01d7da2ab9a6cf5df80db7cc508a

Thursday, 11 June 2015

Pump and Dump: "Go buy DJRT right now" / Dale Jarrett Racing Adventure Inc

This illegal Pump and Dump spam is pushing stocks in Dale Jarrett Racing Adventure Inc (DJRT):

From:    PennyStockCrew [info@pennystockcrew.com]
Date:    10 June 2015 at 10:18
Subject:    Go buy DJRT right now!

Dear Traders,

Our alert DJRT is doing so amazing that you are probably regretting you didn't buy it yet.

I'll tell you this point blank. If you didn't buy DJRT you are an idiot. Take 1 or 2k and go buy it right this second because it is going to go absolutely ballistic.

DJRT is the stock of the minute, of the hour, of the moment and my stock pick of the year!

GO buy DJRT right now and watch it kick past 10 dollars in a heartbeat.

You are signed up to my alerts at www.pennystockcrew.com

Thank you for being a loyal member.

Sincerely yours,
Penny Stock Crew | info@pennystockcrew.com | Michael Killian | PO Box 110226 | Nutley, NJ 07110

The email is almost definitely nothing to do with pennystockcrew.com but is instead being spammed out by a criminally-controlled botnet.

DJRT is a loss-making stock which probably doesn't have good prospects according to it's own SEC filing.

The P&D spam started on 10th June, and we can see from the trading data that somebody bought 1.8 million shares just before the spam run started [via]



Date Close/Last Volume
13:18 0.045 167,875*
06/10/2015 0.041 850,878
06/09/2015 0.045 470,269
06/08/2015 0.044 1,355,516
06/05/2015 0.0132 0
06/04/2015 0.0132 0
06/03/2015 0.0132 1,000
06/02/2015 0.02 0
06/01/2015 0.02 5,002
05/29/2015 0.0269 5,000
05/28/2015 0.0175 10,000
05/27/2015 0.0175 0
05/26/2015 0.0175 0
05/22/2015 0.0175 5,600
05/21/2015 0.0175 1,362
05/20/2015 0.0175 0
05/19/2015 0.0175 1,652
05/18/2015 0.0175 0
05/15/2015 0.0175 0
05/14/2015 0.0175 61,000
05/13/2015 0.0175 0
05/12/2015 0.0175 0
05/11/2015 0.0175 0
* This data reflects the latest intra-day delayed pricing.


This activity pushed the stock price up from 1.3 cents to nearly 5 cents. In recent years stocks have never traded particularly highly, but they recent dropped to the 1 cent area after trading from 2 to 5 cents.






Usually with a pump-and-dump spam such as this, it is either the spammers who are trying to manipulate the share price, or a stock holder seeking to boost the value of the shares so they can sell them. I have no evidence at all that anyone connected with Dale Jarrett Racing Adventure Inc has anything to do with this.


Typically, stocks promoted through P&D spams such as this will collapse after the spamming has finished, leaving investors out of pocket. Often the companies are on the verge of bankruptcy anyway, so investors sometimes lose everything. This too is likely to be a poor investment. Avoid.

Phish: "New_Order_#056253_Hf_Constructions" / "joseph.zhou@hong-kee.com"

I've seen a few of these today, presumably they aren't quite spammy enough to get blocked by our mail filters..

From: Kang Li [mailto:joseph.zhou@hong-kee.com]
Sent: 10. juni 2015 09:35
Subject: New_Order_#056253_Hf_Constructions

Dear,

Please find attached our new order and send P/I against 50% advance payemnt

best regards
kang
The attachment is New_Order_#056253_Hf_Constructions.pdf which looks like a purchase order, but there is a blurred out section.


An examination of the underlying PDF file shows two URLs listed:

[donotclick]designaffair.com.my/js/jss/accesslogin.php
[donotclick]perm.ly/importers-buyers-exporters

In turn these redirect to:

[donotclick]megatrading.hol.es/order/0exbligh0bwwciagica8is0tw2lmielfidhdpia8ahrtbcbk/index.html
[donotclick]tips-and-travel.com/~saulitoo/imgs/0exbligh0bwwciagica8is0tw2lmielfidhdpia8ahrtbcbk/index.html

The second URL listed 404s, but the first one is active. According to the URLquery report, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page at:

[donotclick]guest.lifevericalls.xyz/outlandish_litigant_tuners_nudeness/03737928145651311

This page 404s, but was previously hosted on a bad server at 92.222.42.183 [VT report]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort.

The "megatrading.hol.es" (hosted on 31.220.16.16 by Hostinger - VT report) landing page looks like a straightforward phish:


Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct..


I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.

Recommended blocklist:
31.220.16.16
92.222.42.183

Wednesday, 10 June 2015

Malware spam: "Hayley Sweeney [admins@bttcomms.com]" / "Your monthly BTT telephone bill"

This spam does not come from BTT Communications, but is instead a simple forgery with a malicious attachment:

From:    Hayley Sweeney [admins@bttcomms.com]
Date:    10 June 2015 at 11:20
Subject:    Your monthly BTT telephone bill

Please find attached your telephone bill for last month.
This message was sent automatically.

For any queries relating to this bill, please contact Customer Services on 01536 211100. 
So far I have only seen one sample with an attachment Invoice_68362.doc which contains this malicious macro [pastebin] which downloads a malicious executable from:

http://www.jimaimracing.co.uk/64/11.exe

This is saved as %TEMP%\birsafpc.exe and it has a VirusTotal detection rate of 6/57. Automated analysis tools show traffic to the following IPs:

173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)


This Malwr report also indicates that it drops a Dridex DLL with a detection rate of 7/57.

Recommended blocklist:
173.230.130.172
94.23.53.23
176.99.6.10

MD5s:
80e51715a4242d0d25668d499796b733
10e4291882e2d45a1a7a52e7d93a5579
53f8addb0e1734be13735e51332b2e90

Tuesday, 9 June 2015

Malware spam: "Password Confirmation [490192125626] T82"

This spam email message comes with a malicious attachment:
From:    steve.tasker9791@thomashiggins.com
Date:    9 June 2015 at 10:41
Subject:    Password Confirmation [490192125626] T82

Full document is attached
So far I have seen only a single example of this. Attached is a malicious Word document named 1913.doc [VT 3/57] which contains this malicious macro [pastebin] which downloads a component from the following location:

http://oakwindowsanddoors.com/42/11.exe

Incidentally, the macro contains a LOT of junk that appears to have been harvested from a Microsoft tutorial or something. The downloaded executable has a VirusTotal detection rate of 4/57 and automated analysis tools [1] [2] [3] [4] indicate traffic to the following IPs:

173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
31.186.99.250 (Selectel, Russia)


The Malwr report shows that it downloads a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
173.230.130.172
94.23.53.23
31.186.99.250

MD5s:
3a39074dd9095e0b436dcc9513a0408a
1994c977a4e6e6386e0ba17c0cffe5c9
2e5c33d8fdf22053cb3f49b200b35dc8

Monday, 8 June 2015

Malware spam: "Bank payment" / "sarah@hairandhealth.co.uk"

This fake financial spam does not come from SBP Hair and Health but is a simple forgery with a malicious attachment.
From: sarah@hairandhealth.co.uk [mailto:sarah@hairandhealth.co.uk]
Sent: Monday, June 08, 2015 10:10 AM
Subject: Bank payment

Dear customer

Please find attached a bank payment for £3083.10 dated 10th June 2015 to pay invoice 1757.  With thanks.

Kind regards

Sarah
Accounts
Attached is a file Bank payment 100615.pdf [VT 2/57] which appears to drop a Word document with a malicious macro. Although there are probably several versions of this attachment, according to the Hybrid Analysis report it downloads a component from:

192.186.217.68/~banobatwo/15/10.exe

This is saved as %TEMP%\biksampc.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] indicate network traffic to the following IPs:

146.185.128.226 (Digital Ocean, Netherlands)
31.186.99.250 (Selectel, Russia)
176.99.6.10 (Global Telecommunications Ltd, Russia)
203.151.94.120 (Internet Thailand Company Limited, Thailand)
185.12.95.40 (RuWeb, Russia)

The Malwr report indicates that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
146.185.128.226
31.186.99.250
176.99.6.10
203.151.94.120
185.12.95.40

MD5s:
48d496afc9c2c123e1ab0c72822a7975
6cbd6126b5761efffbe10dafaa7a4bde
2e499cacb5b3a396a3b2a08bd0f4ce1e

Friday, 5 June 2015

Some domains belonging to Michael Price of BizSummits

Here are some domains belonging to Michael Price of BizSummits. Just saying.

hiringspring.net
logistics-summit.com
supplychainsummit.net
acr-clnt1.com
opendetail.com
itsecurityshow.com
lawpathfinder.net
esquirecareers.net
checkdetailz.com
bayareatechsummit.com
hospital-growthsummit.org
theproductdevsummit.net
powerbizdev.com
prexecutives.org
goldcoastsummit.com
hartfordsummit.org
tampatechsummit.com
jacksonvillesummit.com
miamisummit.org
atlantatechsummit.com
knoxvillesummit.org
nashvillesummit.org
sandiegotechsummit.com
orangecountysummit.com
lasummit.org
portlandtechsummit.com
seattletechsummit.com
denversummit.org
phoenixsummit.org
nytechsummit.org
providencesummit.org
bostonsummit.org
worcestersummit.org
portland-summit.com
cfobestpracticesroundtable.com
orlandosummit.com
cfo-summit.com
the-trainingsummit.net
thefinance-list.com
procurementsummits.org
procurementleadership.org
biz-summits.com
customerservicesociety.org
risk-summit.net
backupsite.biz
alturls.net
serveurls.net
servesites.net
arja.org

Malware spam: "General Election 2015 Invoices" / "SIMSSL@st-ives.co.uk"

This unusually-themed spam leads to malware. It does not come from St Ives but is instead a simple forgery.

From: SIMSSL@st-ives.co.uk [mailto:SIMSSL@st-ives.co.uk]
Sent: Friday, June 05, 2015 9:53 AM
Subject: General Election 2015 Invoices

Dear Sir/Madam

Please find attached your invoice 62812 for GE2015

Please could payment be quoted with your constituency name/Invoice numbers

Our Bank Details are:
St Ives Management Services Limited
HSBC
Sort Code: 40-04-24
Account Number: 71419501
Account Name: St Ives Management Services Limited

Remittance advices should be emailed to simsAR@st-ives.co.uk

If paying by cheque, please kindly remit to the address below and not to 1 Tudor Street:

St Ives Management Services Limited
c/o Branded3
2nd Floor, 2180 Century Way
Thorpe Park
Leeds
LS 8ZB

If you have already paid by credit card then there is no need for you to make payment again.

For payment queries please contact Steven Wilde 0113 306 6966

For invoice queries please contact Emily Villiers 0207 902 6449

Kind Regards
SIMS Sales Ledger
This email is intended for the addressee only. It may be confidential and legally privileged. Unauthorised use, copying or disclosure of any of it may be unlawful. St. Ives plc does not accept liability for changes made to this message after it was sent. Any opinions expressed in this email do not necessarily reflect the opinions of St. Ives plc. If you have received this communication in error, please return the message to the sender by replying to it and delete the email immediately.
Whilst St. Ives plc has taken steps to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that this email and its attachments do not adversely affect their system or data. St. Ives plc accepts no responsibility in this regard and the recipient should carry out such virus and other checks, as is considered appropriate.
St. Ives plc reserves the right to read any e-mail or attachment entering or leaving its systems from any source without prior notice.
St. Ives plc registered in England & Wales no. 1552113
Registered office: One Tudor Street, London EC4Y 0AH 


I have only seen one sample so far, with a Word document 1445942147T0.doc attached containing this macro which tries to download a malicious executable from g6000424.ferozo[.]com/25/10.exe but this fails with a timeout. However, the payload will be the Dridex banking trojan.

UPDATE:
I was informed of another download location at elkettasandassociates[.]com/25/10.exe which downloads a malicious binary with a detection rate of 5/57.

Automated analysis tools [1] [2] [3] show network traffic to the following IPs:

203.151.94.120 (Internet Thailand Company Limited, Thailand)
31.186.99.250 (Selectel, Russia)
146.185.128.226 (Digital Ocean, Netherlands)
185.12.95.40 (RuWeb, Russia)

According to this Malwr report it drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
203.151.94.120
31.186.99.250
146.185.128.226
185.12.95.40

MD5s:
4287dfb5e191d92f34ae50e190eee214
e481e0a2f853a84c903aea752823e496

Monday, 1 June 2015

Malware spam: "simonharrington@talktalk.net" / "Subject: Emailing: slide1"

This malware spam arrived in my mailbox in a somewhat mangled state.
From:    Simon Harrington [simonharrington@talktalk.net]
Subject: Emailing: slide1
Date: Mon, 01 Jun 2015 19:42:14 +0700
  Instead of having an attachment, it has a Base 64 encoded section like this:

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA
AAAAEAAALAAAAAQAAAD+////AAAAACkAAAB+AAAA////////////////////////////////

As it is, this email is harmless because all the bad stuff needs decoding. Extracing that section and decoding it gives a file named slide1.doc which contains this malicious macro [pastebin].

This macro downloads a malicious component from:

http://irpanet.com/1/09.exe

Which has a VirusTotal detection rate of 7/56.  This Malwr report shows it communicating with the same IPs we saw earlier:

31.186.99.250 (Selectel Network, Russia)
107.170.1.205 (Digital Ocean, US)
146.185.128.226 (Digital Ocean, Netherlands)
144.76.238.214 (Hetzner, Germany)


It also drops the same Dridex DLL we saw earlier, now with a detection rate of 9/56.

Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214

MD5s:
0d02257ec18b92b3c1cf58b8cb6b3d37
cef5555f191735867c34868c346501ad

Incidentally, the email address is a genuine one belonging to a poor chap in Tunbridge Wells  (who has nothing to do with this). I bet his mailbox is completely packed with bouncebacks and responses from confused people..

Malware spam: "Uplata po pon 43421" / "Mirjana Prgomet [mirjana@fokus-medical.hr]"

I have no idea what "Uplata po pon" means, but this spam does come with a malicious attachment:

From:    Mirjana Prgomet [mirjana@fokus-medical.hr]
Date:    20 May 2015 at 08:26
Subject:    Uplata po pon 43421
There is no body text, but the only example I saw had an attachment name of report20520159260[1].doc which contained this malicious macro [pastebin] which downloads a malicious executable from:



http://uvnetwork.ca/1/09.exe


This is saved as %TEMP%\eldshrt1.exe and has a VirusTotal detection rate of 3/56. There are probably other download locations with other variants of the document, but the payload should be the same in each case.



Automated analysis tools [1] [2] [3] indicate network traffic to the following locations:


31.186.99.250 (Selectel Network, Russia)
107.170.1.205 (Digital Ocean, US)
146.185.128.226 (Digital Ocean, Netherlands)
144.76.238.214 (Hetzner, Germany)


The Malwr report shows that it drops a Dridex DLL with a detection rate of 5/53.

Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214

MD5s:
7008675da5c1b0a6b59834d125fafa45
cef5555f191735867c34868c346501ad

Friday, 22 May 2015

Malware spam: "Your Invoice IN278577 from Out of Eden" / "sales@outofeden.co.uk"

This fake invoice does not come from Out of Eden Ltd but is instead a simple forgery leading to malware.

From: sales@outofeden.co.uk [mailto:sales@outofeden.co.uk]
Sent: 22 May 2015 10:50
Subject: Your Invoice IN278577 from Out of Eden

Dear customer,

Thank you for your order. Please find attached a DOC copy of your invoice IN278577 from sales order S391622.

Your order was despatched on 21/05/2015.  Please check the order on delivery and report any shortage, damage or discrepancy within 48 hours from of receipt of this invoice.

If you would prefer to receive a paper invoice or if this email has been sent to the wrong address, please email sales@outofeden.co.uk or call our Customer Service Team on 017683 72939.

Kind Regards,

Customer Services
Tel: 017683 72939
Please consider the environment before printing this email

Out of Eden Ltd
The UK's Most Popular One-Stop-Shop for Hospitality Products www.outofeden.co.uk

Home Farm Buildings, Kirkby Stephen.  CA17 4AP
Tel: 01768 372 939 Fax: 01768 372 636
Email: sales@outofeden.co.uk
VAT no: 621 2326 86
Reg. in England & Wales - Co. No. 3178081
The payload is very similar to the one found in this earlier spam run, the payload appears to be the Dridex banking trojan.

My contact who sent the information about this spam run (thanks!) also sent the following data about the attachments and download locations. I haven't had time to look into it any further.

hxxp://thepattersonco[.]com/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: b15ac324d13f8804959a81172317a4ba

hxxp://www[dot]footingclub[.]com/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: d89c0affa2c1b5eff1bfe55b011bbaa8

hxxp://hci-ca[.]com/85/20.exe/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: 98c3a42b0d958333a4108e04f10d441f

hxxp://www.seedsindaphne[.]org/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: 13dfb8bd543e77453cfd0ab3d586ba77 

hxxp://mercury.powerweave[.]com/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: cf5a5ec18a9031f998a1a3945ca10379


Malware spam: "This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc." / "Australian Taxation Office"

This spam doesn't seem to know if it's from Lloyds Bank or the Australian Tax Office.

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    22 May 2015 at 10:31
Subject:    Remittance Advisory Email


Monday 22 May 2014

This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc.

Please review the details of the payment here.


Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0845 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.
The link in the email goes to a download page at sharefile.com and leads to an archive file FAX_82APL932UN_772.zip containing a malicious executable FAX_82APL932UN_772.scr which has a date stamp of 01/01/2002 (presumably to make it harder to spot).

This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] [4] show that it downloads another file from:

relianceproducts.com/js/p2105us77.exe

This is renamed to csrss_15.exe and has a detection rate of 3/54. It is most likely a component of the Dyre banking trojan.

In addition, this Hybrid Analysis report shows traffic to:

209.15.197.235 (Peer 1, Canada) [relianceproducts.com]
217.23.194.237 (BLICNET, Bosnia and Herzegovina)

Recommended blocklist:
209.15.197.235
217.23.194.237

MD5s:
eb26a6c56b7f85b3257980d0c273c3cf
178a4e3dfa0feea04079592d3113bd2e


Thursday, 21 May 2015

Malware spam: "Travel order confirmation 0300202959" / "overseastravel@caravanclub.co.uk"

This fake booking confirmation (received from a contact - thanks!) does not come from the Caravan Club, but is a simple forgery with a malicious attachment:

From: overseastravel@caravanclub.co.uk [mailto:overseastravel@caravanclub.co.uk]
Sent: 21 May 2015 12:34
Subject: Travel order confirmation 0300202959    
    
Dear Customer,

Thank you for your travel order.

Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.

Now you have booked your trip why not let The Club help you make the most of your stay?

Did you know The Club has a wide selection of travel advice on the website as well as directions to all our overseas sites?

Want some inspiration on more sites across Europe? Take a look at our Caravan Europe Guides.

If you ’’ ve not already taken out holiday insurance why not let The Club give you a Red Pennant quote online .

Yours sincerely    

The Caravan Club
The file in this case is called Travel Order Confirmation - 0300202959.doc, however the payload seems to be identical to the one found in this earlier spam run.

Malware spam: "Invoice# 2976361 Attached" / "PGOMEZ@polyair.co.uk"

So far I have only seen one sample of this. The sender and subject may vary.
From:    PGOMEZ@polyair.co.uk
Date:    21 May 2015 at 08:58
Subject:    Invoice# 2976361 Attached

Invoice Attached - please confirm..


This transmission may contain information that is privileged and strictly confidential.  If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED.

If you received this transmission in error, please contact the sender and delete the material from any computer immediately.  Thank you.

Attached is a malicious file with the no-very-imaginative name 00001.doc [VT 4/56] which contains this malicious macro [pastebin] that downloads a component from the following location:

http://mercury.powerweave.com/72/11.exe

This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57.

Automated analysis tools [1] [2] [3] [4] show attempted communications with the following IPs:

78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)


The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195

MD5s:
f5aee45ce06f6d9f9210ae28545a14c6
56305283d26e66b81afcbcb6f0e9b9b4
015cc26b738d313e5e7aba0c9114670e

Wednesday, 20 May 2015

Malware spam: "Sky.com / Statement of Account" and "Voice Mail / You have a new voice" via volafile.io

These two spam runs attempt to download malware from volafile.io. To give the folks at Volafile credit, all the malware I have seen linked to has been taken down. I suspect that the payload is the Dyre banking trojan.

From:    Sky.com [statement@sky.com]
Date:    20 May 2015 at 12:30
Subject:    Statement of account

Afternoon,

Please find the statement of account, download and view from the link below:

https://dl4.volafile.io/download/8eFEP-cNVEX-Jg/statement_00429117.zip

We look forward to receiving payment for the September invoice as this is now due for payment.

Regards,
Elliot

This email, including attachments, is private and confidential. If you have received this email in error please notify the sender and delete it from your system. Emails are not secure and may contain viruses. No liability can be accepted for viruses that might be transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members: Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP.


======================

From:    Voice Mail [Voice.Mail@victimdomain]
Date:    20 May 2015 at 12:11
Subject:    You have a new voice

You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.

* The reference number for this message is _qvs5419167125_001

The transmission length was 41
Receiving machine ID : BA9R-DUQUC-TY7T

To download and listen your voice mail please follow the link below: https://dl3.volafile.io/download/rnTYPuYNVEX6Jw/statement_00429114.zip

The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.
volafile.io is a pretty uncommon place to share files, so it might be worth looking at your traffic to see if there have been any unexpected requests to that site.


Tuesday, 19 May 2015

Malware spam: "Australian Taxation Office [noreply@ato.gov.au]" / "eFax message - 2 page(s)"

Apparently the Australian Taxation Office thinks I have a fax.. or perhaps it is something more sinister?

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    19 May 2015 at 12:48
Subject:    eFax message - 2 page(s)

Fax Message [Caller-ID: 408-342-0521]
You have received a 2 pages fax at 2015-05-19 08:18:16 AM EST.

* The reference number for this fax is
min2_did16-0884196800-3877504043-49.

View this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!

Predictably, the link leads to a malicious download (this time at storage-ec2-24.sharefile.com) named Fax_00491175.zip and containing in turn a malicious executable Fax_00491175.scr.

This executable has a detection rate of 5/57. Automated analysis tools [1] [2] [3] shows that it downloads a further component from:

http://employmentrisk.com/images/1405uk77.exe

In turn, this has a detection rate of 4/57 and the Hybrid Analysis report indicates that it tries to communicate with 194.28.190.183 (AgaNet Agata Goleniewska, Poland).

Recommended blocklist:
employmentrisk.com
194.28.190.183

MD5s:
a6aa82995f4cb2bd29cdddedd3572461
b3b483c10d4f7eacd7cfa42f604968f8

Monday, 18 May 2015

Malware spam: "Your reasoning stands in need" / "Have a need in your thought" / "In want of your concern"

This fake financial spam run is similar to this one last week, and comes with a malicious attachment.

From:    Aida Curry
Date:    18 May 2015 at 11:40
Subject:    Your reasoning stands in need

Good Afternoon,
We have attained a reimbursement from you for the draft of £ 2909. Please would you secure me with a remittance, in order for me to reconcile the statement.
I will be sending you a pronouncing of outstanding invoices tomorrow, the entire quantum of outstanding is £ 5893 less the 1 draft received making a whole outstanding of £ 2984. We would very much appreciate settlement of this.
As previously mentioned we reversed to a limited company on 1st December 2014. We are desire to conclude all the old checks down, for both tax and year end reasons. We would be very grateful in your assistance in eliciting the outstanding.
If you need any application of bills please do not hesitate to contact us
Regards,
Aida Curry

-------------------

From:    Cornelius Douglas
Date:    18 May 2015 at 11:39
Subject:    Your reasoning stands in need

Good morning
Please find attached   a remittance advice, relating to a outpayment made to you.
Many thanks
Regards,
Cornelius Douglas
Seniour Finance Assistant

-------------------

From:    Jewell Shepard
Date:    18 May 2015 at 11:37
Subject:    Have a need in your thought

Please, see the attached similar of the remittance.
Please, can you remit a revised pronouncing so we can settle any outstanding balances.
Kind Regards,
Jewell Shepard
Subjects spotted so far are:
In want of your concern
Your reasoning stands in need
Have a need in your thought
Vital announcement 561335
Your advertence stands in need
Grand advert 482209
Important notice 540897
In want of your regarding
In want of your concern
Your reasoning stands in need
Wish to know your thought
Your cognizance is in great necessity
Need your consideration

There seem to be several different attachments, but for the sake of simplicity I have looked at just one. The Hybrid Analysis report shows this this is a MIME attachment that downloads and executes a script from pastebin[.]com/download.php?i=C5KGsRX3 which in turn downloads a malicious executable from  193.26.217[.]220:80/bt/get3.php (Servachok LTD, Russia) which is saved as crypted.120.exe.

This executable has a VirusTotal detection rate of 4/57. The Malwr and Hybrid Analysis reports indicates traffic to 5.63.154.228 (Reg.Ru, Russia) and also shows a dropped Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
5.63.154.228
193.26.217.220

MD5s (executable):
af15ba558c07f8036612692122992aad
0074fdc06f8b1da04c71feb249e546dc