Sponsored by..

Saturday, 1 August 2015

Spam: Countrywide Money Ltd (countrywidemoney.co.uk)

You know things must be desperate when a business turns to spam. Here's a dubious-looking spam that seems to be presenting itself in a way that looks like a get-rich-quick scheme.




From:    Countrywide Money [info@countrywidemoney.co.uk]
Reply-To:    Info@countrywidemoney.co.uk
Date:    1 August 2015 at 05:11
Subject:    Extra Income FOR YOU!


For further information on registration to become an agent, please call our introducer help Desk on 0800 195 3757; to Unsubscribe Click Here!


Incidentally, the Unsubscibe link doesn't work. Tsk tsk.

Now, I'm sure this is a legitimate business offer and not some sort of scam. But all those banknotes and the general pitch seems to suit an operation in Lagos rather than one in the UK. So, what can we find out about this Countrywide Money Ltd?

Let's start with the WHOIS details for the domain countrywidemoney.co.uk:

Domain name:
countrywidemoney.co.uk

Registrant:
Countrywide Money

Registrant type:
UK Individual

Registrant's address:
The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service.


A non-trading individual? Let's look at that web site for a moment..


Well, it doesn't look like a personal homepage to me. But we can look up the details of Countrywide Money Ltd at Companies House to see what we can find. It turns out that the sole director is one "Tony Edwards" who should presumably be listed on the domain WHOIS:

DIRECTOR: EDWARDS, TONY MR
Appointed: 07/06/2012
Date of Birth: 24/10/1972
Nationality: BRITISH
No. of Appointments: 3
Address:
53 FEATHER DELL
HATFIELD
UNITED KINGDOM
AL10 8DE
Country/State of Residence: UNITED KINGDOM

Let's have a look at the flashy offices in Hatfield, eh? Oh.. it looks like a residential address.


A bit of a disappointment really as the web site and brochure look so promising. A little bit more digging at DueDil shows some equally disappointing looking financials.



Hmmm.

One other odd thing, the "About Us" page says that they were founded in 2002..

But Companies House says they were only incorporated in 2012:


That's kind of.. odd. There must be some rational explanation for the discrepancy.

Anyway, I'm not sure why this person feels that promoting their business through spam is appropriate. I certainly won't be signing up to this scheme.

UPDATE 6/2/16

Somebody claiming to be Tony Edwards has made several angry comments on the end of this post, but has not addressed the simple query of where they got their mailing list from. This somewhat incoherent, ill-informed and badly spelled comments cumulated in something that could easily be misinterpreted as a threat of blackmail and even violence.


These comments are connected to a Google+ profile that looks to be genuine, but it is possible I suppose that they are coming from an imposter. My personal opinion is that if they are genuine then they simply show how unprofessional Mr Edwards is.

An explanation as to how the spam email ended up with a non opt-in address would be good. An apology for spamming would be perfectly acceptable. Threats are not.

Tuesday, 28 July 2015

Malware spam: "Incoming Fax" / "Internal ONLY"

This fake fax message leads to malware:

From:    Incoming Fax [Incoming.Fax@victimdomain]
Date:    18 September 2014 at 08:39
Subject:    Internal ONLY

**********Important - Internal ONLY**********

File Validity: 28/07/2015
Company : http://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: (#2023171)Renewal Invite Letter sp.doc

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.

(#2023171)Renewal Invite Letter sp.exe

Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:

http://umontreal-ca.com/word/word.exe

This has a VirusTotal detection rate of 2/55.

umontreal-ca.com (89.144.10.200 / ISP4P, Germany) is a known bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.

UPDATE:
This Hybrid Analysis report shows traffic to the following IPs:

67.222.202.183 (Huntel.net, US)
195.154.163.4 (Online SAS, France)
192.99.35.126 (OVH, Canada)
95.211.189.208 (Leaseweb, Netherlands)

Recommended blocklist:
89.144.10.200
67.222.202.183
195.154.163.4
192.99.35.126
95.211.189.208

Malware spam: "Your Air France boarding documents on 3Aug" / "cartedembarquement@airfrance.fr"

This email does not come from Air France but is instead a simple forgery with a malicious attachment.



From:    Air France [cartedembarquement@airfrance.fr]
Reply-To:    noreply@airfrance.fr
Date:    28 July 2015 at 10:32
Subject:    Your Air France boarding documents on 3Aug


Attached is your Air France boarding pass.


Attached is your boarding pass in PDF format.


Important information
  • Your boarding pass in PDF format is only valid when printed. Please print this document and present it at the airport. Please print your boarding pass in PDF format.
    If you are not able to print your boarding pass, please print it at the airport, using a Self-Service Kiosk or at a check-in counter.

Thank you for choosing Air France. We wish you a pleasant flight. This is an automatically generated e-mail. Please do not reply.



Legal notice
Air France is committed to protecting your privacy. Our privacy policy specifies:
  • how we use the data we collect about you
  • the measures we employ to protect your privacy.

You will also find the procedure for limiting the use of your data.

Attached is a file Boarding-documents.docm which comes in several variants, but carries the same exact payload as this earlier attack today.

Malware spam: "Please Find Attached - Report form London Heart Centre" / "lhc.reception@heart.org.uk"

This spam is not from the London Heart Centre, but is instead a simple forgery with a malicious attachment:

From     lhc.reception@heart.org.uk
Date     Tue, 28 Jul 2015 14:15:05 +0700
Subject     Please Find Attached - Report form London Heart Centre

(See attached file: calaidzis, hermione.doc)

Attached is a file calaidzis, hermione.docm which comes in at least three different versions [1] [2] [3] which download a malicious binary from one of the following locations:

http://laperleblanche.fr/345/wrw.exe (94.23.1.145 / OVH, France)
http://chloedesign.fr/345/wrw.exe (85.236.156.24 / Barizco Inc., France)
http://ce-jeffdebruges.com/345/wrw.exe (94.23.1.145 / OVH, France)

This is saved as %TEMP%\treviof.exe  and has a detection rate of 4/55. Automated analysis tools [1] [2] [3] report that it phones home to:

93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)

I recommend that you block that IP. The malware is the Dridex banking trojan.

MD5s:
5be14022a092eec9855e28c2498f5ada
04e3ab669c516b04f92a631aa1498ba9
550599ad64385497110f8bdb28164be2
5c8aa48a831675fa2b8e09821d37671a

Monday, 27 July 2015

Malware spam: "Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715" / "[1NAV PROD RCS] " / "donotreply@royal-canin.fr"

This spam does not come from Royal Canin, but is instead a simple forgery with a malicious attachment:

From     "[1NAV PROD RCS] " [donotreply@royal-canin.fr]
Date     Mon, 27 Jul 2015 18:49:16 +0700
Subject     Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715

Please find attached your Sales Order Confirmation

Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.
Attached to the message is a file Order Confirmation RET-396716 230715.xml (it wasn't attached properly in the samples I saw) with a VirusTotal detection rate of 1/55, which in turn contains a malicious macro that looks like this [pastebin] which downloads an executable from one of the following locations (there are probably more):

http://www.madagascar-gambas.com/yffd/yfj.exe
http://technibaie.net/yffd/yfj.exe
http://blog.storesplaisance.com/yffd/yfj.exe


This is saved as %TEMP%\ihhadnic.exe, and has a detection rate of 2/55. Automated analysis tools [1] [2] [3]  show that it attempts to phone home to:

93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)

MD5s:
CA6E11BAA28B724E032326898D8A1A3C
E5DA1A23BC4B530CDEA3E17B1E34C4DA
97832482A5E3D541779F591B4DA94017
6FCD67F5C5C96A98687737DC93305B3F



Friday, 24 July 2015

Evil network: Malicious RATs (including milano.exe) on 185.19.85.128/26 (Datawire AG)

There's more to this spam than meets the eye:

From:    wholesale.uganda@anisuma.com
To:    "tariq@paramountdistributors.com" [wholesale.uganda@anisuma.com]
Date:    24 July 2015 at 13:31
Subject:    re:invoice

Attention
Please confirm your consignee name and address on the BL
http://a.pomf.se/cvpkgu.rar
please let update me
thanks 
"Anisuma Traders" is the name of a legitimate trading corporation with operations in several African countries, although they are not sending the spam. It looks like a phish, right? Wrong..

The apparent link to a .rar file caught my eye. In fact, the download location is not pomf.se (a defunct Swedish site) but the click chain goes like this:

http://ge.tt/api/1/files/1XjW10L2/0/blob?download
http://api.ge.tt/1/files/1XjW10L2/0/blob?download
http://ec2-54-155-123-115.eu-west-1.compute.amazonaws.com:9009/streams/1XjW10L2/stu.rar?sig=-U7AIHwQKNyk4BP6A2uOe9UYEFBYCm3SADo&type=download

The file downloaded is stu.rar which in turn contains an executable milano.exe. I'm going to take a guess and suggest that this is a Very Bad File, although the VirusTotal report give a detection rate of just 1/55 with McAfee flagging it as "BehavesLike.Win32.BackdoorNJRat.gc"

Both the Malwr and Hybrid Analysis reports show that it hooks into the OS and attempts to avoid detection. Crucially, they both show network traffic to gee.duia.eu on 185.19.85.138 (Datawire, Switzerland).

So, McAfee thinks this is a RAT and there's suspect network traffic, but what do the email headers tell us?
Received: from mail.anisuma.com (mail.jackys.com [83.111.201.118])
    (using TLSv1 with cipher AES128-SHA (128/128 bits))
    (No client certificate requested)
    by [redacted] (Postfix) with ESMTPS id A8CE2AF548
    for [redacted]; Fri, 24 Jul 2015 12:32:29 +0000 (UTC)
Received: from [10.85.138.34] by mail.jackys.com (Cipher TLSv1:-SHA:128) (MDaemon PRO v12.5.3)
    with ESMTP id md50009556350.msg
    for [redacted]; Fri, 24 Jul 2015 16:33:59 +0400
X-Spam-Processed: mail.jackys.com, Fri, 24 Jul 2015 16:33:59 +0400
    (not processed: message from trusted or authenticated source)
X-MDRemoteIP: 185.19.85.138
X-Return-Path: prvs=164718a849=wholesale.uganda@anisuma.com
X-Envelope-From: wholesale.uganda@anisuma.com
X-MDaemon-Deliver-To: [redacted]
Content-Type: multipart/alternative; boundary="===============0415218432=="
MIME-Version: 1.0
Subject: re:invoice
To: "tariq@paramountdistributors.com" <wholesale.uganda@anisuma.com>
From: wholesale.uganda@anisuma.com
Date: Fri, 24 Jul 2015 13:31:09 +0100
The "X-MDRemoteIP" header shows that the email originates from the same server it is phoning home to. This is unusual because most spam these days come from botnets, and if the originating server gets shut down for spam then the infected clients won't be able to phone home. The email routes through servers belong to jackys.com in the UAE, perhaps indicating that someone has altered their systems to allow the malicious traffic to route through.

185.19.85.138 is therefore a server of interest, but a quick look at the IP and the neighbourhood indicate that this isn't just a single popped server.. there are 58 IPs hosting what appears to be malicious data (listed at the end) taking up the entire 185.19.85.128/26 range.

I'm betting that renting a /26 slice of Swiss servers isn't cheap.

Out of all the malicious domains (listed at the end of the post), one stands out boss.milano22.com (because the binary is named milano.exe). That is related to this malware, but the WHOIS details reveal no clues.

Another one that also caught my eye because it is multihomed on so many IPs is zexio.no-ip.biz which is related to this malware from 2012 which is variously identified as Shakblades and/or Blackshades, both illicit RAT tools.

Looking at various other domains shows that they are connected with other malicious activity over the past two years or so. What that means is that this operation is not only big, but has been going on for some time.

For research purposes, a copy of the malware is here (Zip file, password=infected)

Personally, I would recommend that you block all dynamic DNS domains on a corporate network, and combined with the other potentially malicious domains gives the following recommended blocklist:

185.19.85.128/26
a5b4c3d2e1.com
3utilities.com
blogsyte.com
brasilia.me
chickenkiller.com
craftx.biz
ddns.me
ddns.net
dnsiskinky.com
duia.eu
dvrcam.info
eating-organic.net
game-server.cc
game-host.org
geekgalaxy.com
gotdns.com
homeip.net
isa-geek.net
glory297.org
hopto.org
linkpc.net
milano22.com
minecraftnoob.com
mlbfan.org
no-ip.biz
no-ip.info
no-ip.org
noip.me
noip.us
redirectme.net
serveblog.net
serveftp.com
sytes.net
zapto.org
zicoyanky.pw

Malicious IPs:
185.19.85.133
185.19.85.134
185.19.85.135
185.19.85.136
185.19.85.137
185.19.85.138
185.19.85.139
185.19.85.140
185.19.85.141
185.19.85.142
185.19.85.143
185.19.85.144
185.19.85.145
185.19.85.146
185.19.85.147
185.19.85.148
185.19.85.149
185.19.85.150
185.19.85.151
185.19.85.152
185.19.85.153
185.19.85.154
185.19.85.155
185.19.85.156
185.19.85.157
185.19.85.158
185.19.85.159
185.19.85.160
185.19.85.161
185.19.85.162
185.19.85.163
185.19.85.164
185.19.85.165
185.19.85.166
185.19.85.167
185.19.85.168
185.19.85.169
185.19.85.170
185.19.85.171
185.19.85.172
185.19.85.173
185.19.85.174
185.19.85.175
185.19.85.176
185.19.85.177
185.19.85.178
185.19.85.179
185.19.85.180
185.19.85.181
185.19.85.182
185.19.85.183
185.19.85.184
185.19.85.185
185.19.85.186
185.19.85.187
185.19.85.188
185.19.85.189
185.19.85.190

Malicious domains:
fort.ugo10.minecraftnoob.com
mtxcg.craftx.biz
6306921.no-ip.biz
1mathieucg.no-ip.biz
artengo.no-ip.biz
asawakath.no-ip.biz
asrxxx.no-ip.biz
bluemountain55.no-ip.biz
bluntmosphere.no-ip.biz
businessdb04.no-ip.biz
charssi693.no-ip.biz
chobitsshocks.no-ip.biz
daniel123k.no-ip.biz
debug.no-ip.biz
divin32.no-ip.biz
donkriss101.no-ip.biz
draynet1.no-ip.biz
fatal889321.no-ip.biz
freebandz.no-ip.biz
freeyou2014.no-ip.biz
gptman5.no-ip.biz
gptmanster5.no-ip.biz
ian1954.no-ip.biz
icediamant.no-ip.biz
ikemello.no-ip.biz
infosearch898.no-ip.biz
itisnotreal.no-ip.biz
jskvikel.no-ip.biz
kobsrat.no-ip.biz
lizzykane.no-ip.biz
lolwot.no-ip.biz
maicol.no-ip.biz
michael8776.no-ip.biz
miker790.no-ip.biz
milano22.no-ip.biz
mortexmutex.no-ip.biz
natilexx.no-ip.biz
nonysa.no-ip.biz
oezeokobe1.no-ip.biz
oneprouddad.no-ip.biz
rumberocalle.no-ip.biz
serenity786.no-ip.biz
sm3351.no-ip.biz
sslcertificates.no-ip.biz
stroperjilles.no-ip.biz
update28459.no-ip.biz
uzolion.no-ip.biz
windowsupdate995.no-ip.biz
wizard2002.no-ip.biz
wowyougotme.no-ip.biz
wuwksterboss.no-ip.biz
zexio.no-ip.biz
new.game-server.cc
nnicrosoft.3utilities.com
obinnabio.blogsyte.com
joeban.chickenkiller.com
ceedata.dnsiskinky.com
bio4kobs.geekgalaxy.com
kan3.gotdns.com
boss.milano22.com
microsoftcorp.serveftp.com
shadybiodata.dvrcam.info
izimother.no-ip.info
lopta10.no-ip.info
nzvat.no-ip.info
test13.no-ip.info
biodataczar.brasilia.me
streetdesciple.ddns.me
austinrat.noip.me
marct2702.noip.me
bigtoby35.ddns.net
businessdb00.ddns.net
layziebone009.ddns.net
mikey0147.ddns.net
cagbbio.eating-organic.net
new.homeip.net
pcuser.homeip.net
updated.homeip.net
spynet.homelinux.net
microdude.isa-geek.net
akconsult.linkpc.net
enitan.linkpc.net
server23.redirectme.net
serialcheck55.serveblog.net
obasanjo.sytes.net
sadsix.sytes.net
window.sytes.net
internet.game-host.org
coza.glory297.org
makingpay.hopto.org
tudorsdetails.mlbfan.org
ayool.no-ip.org
ayool1.no-ip.org
ayool2.no-ip.org
beastyyou.no-ip.org
business11.no-ip.org
chuks052.no-ip.org
cryptoesel.no-ip.org
dextercom.no-ip.org
divin32.no-ip.org
doingit108.no-ip.org
fazbar2013.no-ip.org
frankspecht.no-ip.org
immo506.no-ip.org
immo886.no-ip.org
jackro.no-ip.org
lizzykane.no-ip.org
micheal4fingax-07.no-ip.org
milano99.no-ip.org
morechedder.no-ip.org
mywaylife.no-ip.org
orangeroom.no-ip.org
papakamsi4moni7.no-ip.org
spongebob30.no-ip.org
ukon.no-ip.org
win7test.no-ip.org
zenithsales.no-ip.org
0tazbox.zapto.org
bellwiz2.zapto.org
bluemountain.zapto.org
bluemountain66.zapto.org
client.zapto.org
hessu.zapto.org
hessubs.zapto.org
izilife.zapto.org
sadsix.zapto.org
tazbox.zapto.org
tinubu.zapto.org
win7test.zapto.org
x631.zapto.org
xecuter.zapto.org
xecuter2.zapto.org
www.zicoyanky.pw
twitch.noip.us
a5b4c3d2e1.com
gee.duia.eu

Thursday, 23 July 2015

Malware spam: "Order Form for Job Number 2968347" / "steve.champion@printing.com"

This fake financial spam does not comes from printing.com but is instead a simple forgery with a malicious attachment.

From     "steve.champion@printing.com" [steve.champion@printing.com]
Date     Thu, 23 Jul 2015 18:23:44 +0700
Subject     Order Form for Job Number 2968347

Hello ,

Thanks for your order, job reference 2968347. Please open the attached order form,
read it and check it.

To Accept your order:
- Visit http://www.printing.com/uk/
- Sign in (see below if you don't have a username or you've forgotten your password);
- In the "My Orders" section, click on job 2968347;
- Click the "Accept" button at the bottom of the screen;

If you have any queries about the order please call me before you accept it.

Thanks again for your order!

Kind Regards,

Steve Champion

printing.com Middlesbrough
Cargo Fleet Offices
Middlesbrough Rd
Middlesbrough
TS6 6XH
Tel: 01642 205649
Fax:
Email: steve.champion@printing.com

Franchises are independently owned and operated under licence. Dan James Limited.
Registered in England No. 5164910 Registered Address: Rede House, 69-71 Corporation
Road, Middlesbrough, TS1 1LY VAT Registration No.: GB 847 8229 85

Attached is a file OrderForm2968347.docm which I have seen in three different versions (there are maybe more) with various detection rates [1] [2] [3]. They contain a malicious macro like this one [pastebin].

The macro downloads a malicious binary from one of the following locations:

solution-acouphene.fr/mini/mppy.exe
surflinkmobile.fr/mini/mppy.exe
verger-etoile.fr/mini/mppy.exe


All of these are on the same compromised OVH France server of 94.23.1.145. The binary has a detection rate of just 2/54 and it is saved as %TEMP%\ihhadnic.exe. Automated analysis [1] [2] [3] shows attempted network traffic to:

85.25.199.246 (PlusServer AG, Germany)
194.58.96.45 (Reg.Ru, Russia)
31.131.251.33 (Selectel, Russia)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
85.25.199.246
194.58.96.45
31.131.251.33
94.23.1.145

MD5s:
74fca464697b5816acfe9140ee387ecd
fd8291e5147abef45654f3da6d5cfc28
a32eb507c674d82c6161bb606f594782
a3e64d3f4fa2168315428e573746caf4

Wednesday, 22 July 2015

Malware spam: "Payment Receipt" / "donotreply@dart-charge.co.uk"

This fake financial email is a simple forgery with a malicious attachment.

From     [donotreply@dart-charge.co.uk]
Date     Wed, 22 Jul 2015 19:26:51 +0700
Subject     Payment Receipt
The samples I saw had no body text and an attachment PaymentReceipt.xml [VT 5/55] which is an XML file [pastebin] with a Base64 encoded section which magically transforms into a malicious Word macro.

This macro downloads a malicious binary from:

http://puerta.fr/sandra/write.exe

Other versions of the attachment may download the same binary from different locations. This is saved as %TEMP%\mikapolne.exe and has a VirusTotal detection rate of 26/55. Automated analysis [1] [2] [3] shows it communicating with:

194.58.96.45 (Reg.Ru, Russia)

This IP has been in use in this other campaign today and is well worth blocking.

MD5s:
89e93a926de9c212a2b148722c938ba3
38f9913a89f00badb2a78c6f19c33544





Malware spam: HMRC application with reference XXXX XXXX XXXX XXXX received / noreply@hmrc.gov.uk

These spam emails do not come from HMRC (the UK tax office) but are instead a simple forgery with a malicious attachment.
From:    noreply@hmrc.gov.uk [noreply@hmrc.gov.uk]
Date:    22 July 2015 at 13:19
Subject:    HMRC application with reference 5CSS 1QDX 27KH LRFM received

The application with reference number 5CSS 1QDX 27KH LRFM submitted by you or your agent to register for HM Revenue & Customs (HMRC)  has been received and will now be verified. HMRC will contact you if further information is needed.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

Attached is a file 2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.doc with a VirusTotal detection rate of 7/55 which if opened (not advised) pretends to be an encrypted document that requires Active Content to be enabled.

According to this Hybrid Analysis report the embedded macro contacts the following hosts to download components:

vinestreetfilms.com/wp-content/plugins/jetpack/_inc/genericons/genericons/rtl/78672738612836.txt
midlandspestcontrol.net/wp-includes/js/tinymce/themes/advanced/skins/o2k7/78672738612836.txt
midlandspestcontrol.net//wp-includes/js/tinymce/themes/advanced/skins/o2k7/fafa.txt

This includes another malicious script. This then leads to the download of a malicious binary from:

anacornel.com/images/desene/united.exe

This has a VirusTotal detection rate of just 2/55. Automated analysis is pending.

MD5s:
605905df205b6c266856990a49abdfef
1fdb0af80d01739410a3eef67c4144ff

UPDATE: a Hybrid Analysis report is here, but it does not add much more detail.

Malware spam: "Invoice Batch for UCB01 from: Excel Manufacturing Ltd" / "Joanne Durham [Joanne.durham@excel.gb.com]"

This fake financial spam does not come from Excel Manufacturing Ltd but is instead a simple forgery with a malicious attachment.

From:    Joanne Durham [Joanne.durham@excel.gb.com]
Date:    22 July 2015 at 10:04
Subject:    Invoice Batch for UCB01 from: Excel Manufacturing Ltd


Please see our Invoice for your reference [Cust Ord No] attached.

Yours sincerely,

Excel Manufacturing Ltd
Unit 1 & 2 Fieldhouse Business Park,
Old Fieldhouse Lane,
Huddersfield,
West Yorkshire,
HD2 1FA

Tel: (01484) 452010
Fax: (01484) 452015
Email: info@excel.gb.com

So far I have only seen one sample with an attachment Excel Manufacturing Ltd Invoice UCB01.docm which has a VirusTotal detection rate of 8/56. The document contains this malicious macro [pastebin] which downloads a binary from:

http://amsaqwankido.com/max/bbw.exe

which is saved as %TEMP%\mikapolne.exe . This has a detection rate of 3/55 and this Malwr report shows suspect traffic to the following IP:

194.58.96.45 (Reg.Ru, Russia)

This appears to drop the Dridex banking trojan.

MD5s:
1aa3f816e710f3cecb255845d4738c5e
839ca1594450c1d7afca5fddc376fbfa

Tuesday, 21 July 2015

Malware spam: "Administrator - EDCSRP earmarking (Update 07_21_2015).doc" / "Internal ONLY"

These two spam email messages have the same malicious payload:

From:    Administrator@badeleke [Administrator@victimdomain]
To:    badeleke@victimdomain
Date:    24 July 2014 at 10:30
Subject:    Administrator - EDCSRP earmarking (Update 07_21_2015).doc

badeleke,

This attachment(EDCSRP earmarking (Update 07_21_2015).doc) provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.


Thank you,
Administrator
http://www.victimdomain

----------------------

From:    Incoming Fax [Incoming.Fax@victimdomain]
To:    administrator@victimdomain
Date:    18 September 2014 at 08:35
Subject:    Internal ONLY

**********Important - Internal ONLY**********

File Validity: 07/21/2015
Company : http://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: Internal_report_07212015_5542093.doc

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
Note the odd dates on the spam email. In all cases, the attachment is called EDCSRP earmarking (Update 08_21_2015).doc and at present it has a VirusTotal detection rate of 7/55. It contains a complex macro [pastebin] which (according to Hybrid Analysis) downloads additional components from:

phudge.ca/wordpress/wp-content/themes/canvas/includes/.svn/props/78672738612836.txt
kedros.ch//modules/mod_araticlhess/78672738612836.txt


Automated analysis didn't work on this and frankly instead of reinventing the wheel I refer you to this note from @Techhelplistcom which reveals an executable being downloaded from:

umontreal-ca.com/ualberta/philips.exe

This domain was registered just yesterday to an anonymous person and is hosted on 89.144.10.200  (ISP4P, Germany) so we can assume that it is malicious. But here's an interesting detail.. if you look at the Word document itself it does actually claim to be from the University of Montreal (click to enlarge).



That seems like a lot of effort to go to, more than is usual for this type of drive-by attack.The malicious executable philips.exe has a detection rate of 13/55 and again, the Comments field has a useful list of IP address to block thanks to @Techhelplistcom.

This whole thing is Upatre dropping the Dyre banking trojan, and it's quite clever stuff. Perhaps your best defence is a user education programme about not enabling active content on suspect emails..

Recommended minimum blocklist:
89.144.10.200

MD5s:
e945383e19955c420789bf5b3b415d00
015774e058bcb1828726848d2edd93f9

Friday, 17 July 2015

Malware spam: "You've earned it" / "You've deserved it" etc

This is another randomly-generated round of malware spam, following on from this one.

Date:    17 July 2015 at 16:04
Subject:    You've earned it

You have done a great business for our company. Even when someone else lost their heart , you managed with those nuisances and pushed it through.
The luck completely goes to you. We pay attention how you toiled to make it great , and you deserve more except superior's thanks or compliments.
You have got big capability and capacity , and I'm personally sure that you'll renew that luck over and over again. We appreciate that we have you on our group.
Our head management couldn't find better words and would like to give you a exclusive bounty only for you. Please view this applied gift

Date:    17 July 2015 at 17:06
Subject:    You've earned this

You did a great work for our group. Even when everyone else lost their heart , you met with those inconveniences and struggle it.
This success certainly appertains to you. We note how you toiled to do it perfect , and you earn more except our acknowledgements or congratulations.
You have great genius and productivity , and I'm individually sure that you'll repeat the same winning over and over again. All of us appreciate that we have you on our group.
Company's head office can't find better words and want to give you a deluxe bonus just for you. Please accept the enclosed present

Date:    17 July 2015 at 17:08
Subject:    You've earned this

You did a good thing for our company. Even when everyone else lost their heart , you met with those obstacles and exert yourself to the utmost extent.
This success undoubtedly belongs to you. We note how hard you worked to do it super , and you deserve more except superior's acknowledgements or congratulations.
You have big talent and potential , and I'm individually confident that you'll repeat the same triumph over and over again. All of us appreciate that we are with you in company's group.
Our head management can't find better words and would like to make a exclusive bonus only for you. Please accept the enclosed bonus

Date:    17 July 2015 at 17:02
Subject:    You've deserved it

You did a excellent work for our group. Even when someone else lost their hope , you managed with those discommodes and pushed it through.
The victory certainly goes to you. We know how you toiled to make it good , and you must get more than management's thanks or compliments.
You have got tremendous capability and performance , and I'm individually assured that you'll redo this triumph over and over again. All of us appreciate that we got you on department's group.
Company's general department couldn't find better words and want to give you a deluxe donation just for you. Please take this enclosed  bounty 
In the samples I have seen, the attachment is called bounty.doc, Giftinfo.doc, bonus.doc,
or bonusinfo.doc [VT detection rate 6/55], but the content is the same. If a potential victim opens it, the document looks like this:


If the user follows these steps, this malicious macro [pastebin] will run, infecting their machine. The Hybrid Analysis report shows the macro downloading various components from:

www.buck.tv/cms/wp-content/uploads/78672738612836.txt
www.bereciartua.com/wp-content/themes/bereciartua/78672738612836.txt
www.bereciartua.com/wp-content/themes/bereciartua/papa.txt


All of these files are actually scripts, and they appear to download a malicious executable from:

195.154.93.8/123a.exe

This has a VirusTotal detection rate of 4/55, and that same VirusTotal report shows it phoning home to:

93.185.4.90:12328/ETU2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBLGBEID
93.185.4.90:12328/ETU2/<MACHINE_NAME>/41/5/4/MEBEFEBLGBEID


We've seen the 93.185.4.90 a few times recently, and it is absolutely worth blocking and/or monitoring traffic to this IP.

Malware spam: eFax message from "unknown" - 1 page(s), Caller-ID: 1-123-456-7890

This fake fax spam leads to malware:

From:    eFax [message@inbound.efax.com]
To:    administrator@victimdomain
Date:    17 July 2015 at 10:42
Subject:    eFax message from "unknown" - 1 page(s), Caller-ID: 1-357-457-4655



Fax Message [Caller-ID: 1-357-457-4655
You have received a 1 page fax at Fri, 17 Jul 2015 15:12:25 +0530.

* The reference number for this fax is atl_did1-1400166434-67874083637-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!


j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but hacked site at:

breedandco.com/fileshare/FAX-1400166434-707348006719-154.zip

The ZIP file has a detection rate of 6/55 and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55. Automated analysis [1] [2] [3] shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):

93.185.4.90:12325/ETK7/<MACHINE_NAME>/0/51-SP3/0/GKBIMBFDBEEE
93.185.4.90:12325/ETK7/<MACHINE_NAME>/41/5/1/GKBIMBFDBEEE


This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip.dyndns.org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.

The malware reaches out to some other malicious IPs (mostly parts of a botnet):

93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)

Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55] and vastuvut.exe [VT 6/55].

Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106

MD5s:
777ea29053d4e3e4eeb5689523a5ed11
2cb619f59c10a9877b672d66ab17edf9
efa2887ab892c34a5025aa3f943f49a9
debfdeb9b14dda4ed068a73b78ce5a24

Thursday, 16 July 2015

Malware spam: "Excelent job !" / "Good achievement !"

These spam emails appear to have randomly-generated text, which would account for the strange language.. and they come with a malicious attachment:

Date:    16 July 2015 at 12:53
Subject:    Excelent job !

Congratulations ! You will obtain a 25% commission for the latest sale. Please overlook the next papers to know the whole sum you've gained.
Daily you prove that you are the main force of our branch in the sales. I am elate and beholden to have such a gifted and able employee. Proceed the good achievements.
All the best.
Michelle Curtis Company management

---------------------

Date:    16 July 2015 at 11:53
Subject:    Good achievement !

Congratulations ! You will win a 40% rake-off for the latest sale. Please see the these documents to find out the entire sum you've won.
Everyday you assure that you are the head power of our group in the sales. I am sublime and beholden to get such a talented and skillful workman. Continue the good achievements.
With the best regards.
Sharon Silva Company management 
Attached is a malicious Word document which in the two samples I saw was called
total_sum_from_last_sale.doc
total_sum_from_latest_disposition.doc


Both these documents were identical apart from the filename, and have a VirusTotal detection rate of 4/55. Inside the document is this malicious macro [pastebin], which (according to Hybrid Analysis) downloads several components (scripts and batch files) from:

thereis.staging.nodeproduction.com/wp-content/uploads/78672738612836.txt
www.buildingwalls.co.za/wp-content/themes/corporate-10/78672738612836.txt
www.buildingwalls.co.za/wp-content/themes/corporate-10/papa.txt


These are executed, then a malicious executable is downloaded from:

midwestlabradoodles.com/wp-content/themes/twentyeleven/qwop.exe

This has a VirusTotal detection rate of 8/55 and that report plus other automated analysis tools [1] [2]  phones home to the following malicious URLs:

93.185.4.90:12317/LE2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBFEBEFJ
93.185.4.90:12319/LE2/<MACHINE_NAME>/41/7/4/


That IP belongs to C2NET in the Czech Republic. It also send non-malicious traffic to icanhazip.com (a legitimate site that returns the IP address) which is a good indicator of compromise.

This malware drops the Dyre banking trojan.

Recommended blocklist:
93.185.4.90
thereis.staging.nodeproduction.com
www.buildingwalls.co.za
midwestlabradoodles.com

MD5s:
0582ed37ebb92da47fc2782e3228a4c5
ea0daafe232c6ffb8f783bb1f317fbf2

Friday, 10 July 2015

Malware spam: "Invoice reminder" / "morgan-motor.co.uk"

Nope, you haven't ordered an esoteric British sports car. This malware spam is not from the Morgan Motor Company, but is instead a simple forgery with a malicious attachment.

From     "Marie Atkins" [Marie.Atkins@morgan-motor.co.uk]
Date     Fri, 10 Jul 2015 12:50:54 +0200
Subject     Invoice reminder

Please note that so far we had not received the outstanding amounts in accordance
with the invoice enclosed below.
Unfortunately, we cannot wait another week for amounts to be settled. Kindly ask
You to arrange the payment in the nearest future (2 days).
In case the funds are not received in two days we reserve the right to use legal
approaches in order to resolve this issue.
We hope You will duly react to this notification and save good business relationships
with us.
Other senders spotted are Effie.Henry@morgan-motor.co.uk and Carmine.Randolph@morgan-motor.co.uk although there are probably others. Attached is a ZIP file named invoice-ITK709415.zip [VT 13/54] which contains a malicious executable invoice-ITK709415.scr, this has a VirusTotal detection rate of 3/55.

The Malwr report shows that this is the Upatre downloader, which always leads to the Dyre banking trojan. The characteristic callback pattern can be seen in the network traffic:

http://38.65.142.12:12569/RT77/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://38.65.142.12:12569/RT77/HOME/41/5/1/ELHBEDIBEHGBEHK

We've seen that IP before. Another characteristic bit of traffic (but not malicious) is a HTTP request to icanhazip.com. Although this is a legitimate service to determine the IP address of the client, it is also a pretty good indicate of Upatre/Dyre infection and is worth looking out for on your network.

The downloader seems to drop a modified version of itself, in this case called aloyzan.exe and also having a 3/55 detection rate. In additional, a file named whicalous.exe [VT 1/55] is dropped.

Recommended blocklist:
38.65.142.12

MD5s:
ef068f3b4e1927de34273d98c88d3abc
cd90c812c9e8a1168ecd89fb8f64ea05
99960df0cddf89e2e8eac54f371da63b
1f8e40aa49e9c3e633e450e85a888ba2

Thursday, 9 July 2015

Malware spam: "Your order No. 3269637 has been despatched" / "info@123print.co.uk"

This fake financial spam does not come from 123Print but is instead a simple forgery with a malicious attachment.

From     "info@123print" <[nfo@123print.co.uk]
Date     Thu, 09 Jul 2015 12:09:12 +0200
Subject     Your order No. 3269637 has been despatched

Dear customer

Your order 3269637 has been despatched.

Please see attachment for details.
Attached is a file 4077774.doc for which I have seen three variants [1] [2] [3] [Hybrid Analysis] which downloads a malicious executable from one of the following locations:

robindesdroits.com/43/82.exe
illustramusic.com/43/82.exe
prodasynth.com/43/82.exe

Those sites are hosted on 213.186.33.19 and 213.186.33.87 which are OVH parking IPs.

That executable has a detection rate of 8/54 and automated analysis tools [1] [2] [3] show traffic to 62.210.214.106 (OVH, France). The payload is the Dridex banking trojan.

Recommended blocklist:
62.210.214.106

MD5s:
17cfe88703b471940c22aa01a367a2a3
404b61075c9b5cb7b8ecf107b4b4ccb0
53d0ee49815c7f9740b80fdbb50f599d
0488144945839b1a8cdf5ab6f37c471d

Wednesday, 8 July 2015

Malware spam: "Strange bank account operation" / "Unauthorised bank account activity" / "Illegal bank account transfer" etc

This fake financial spam comes with a malicious payload. It appears to be randomly generated in part, here are some examples:
Date:    8 July 2015 at 18:02
Subject:    Strange bank account operation

Kindly be informed that bank did noticed suspect attempt of money withdrawal relating to Your debit card.
Please find enclosed bank e-mail sent by financial department on Monday.
As well attached are security details for Your review.
Michael Morgan
Senior Manager

==========

Date:    1 January 1970 at 00:00
Subject:    Suspicious bank account operation

Kindly be acknowledged that bank had found unauthorised attempt of amounts withdrawal from Your credit card.
Please find enclosed bank warning provided by bank manager earlier.
Also enclosed are security details for Your affirmation.
Robin Owen
Chief accountant

==========

Date:    8 July 2015 at 17:59
Subject:    Illegal bank account transfer

Kindly be informed that bank security department has found illegal attempt of money withdrawal from Your Mastercard account.
Please check the enclosed bank publication provided by banking department today.
As well attached are security details for Your approval.
Clive Adams
Tax Consultant

=========

Date:    8 July 2015 at 16:55
Subject:    Strange bank account transfer

Kindly note that bank did noticed suspect attempt of amounts withdrawal related to Your Mastercard.
Please examine the enclosed bank statement sent by manager on Monday.
Furthermore attached are personal details for Your confirmation.
Martin Morgan
Tax authority

==========

Date:    8 July 2015 at 17:51
Subject:    Unauthorised bank account activity

Kindly be acknowledged that bank security department had detected suspect attempt of money withdrawal related to Your debit card.
Please check the enclosed bank statement forwarded by banking department today.
In addition attached are security details for Your control.
Robin Willis
Senior Manager

Attached is a Word document [VT 6/55]with various filenames:

extract_of_bank_document.doc
fragment_of_bank_fax.doc
original_of_bank_report.doc
scan-copy_of_bank_document.doc
transcript_of_bank_statement.doc


All the samples I have seen have an identical document with different names, containing this malicious macro which then goes off and downloads various other components according to the Hybrid Analysis report, using the following URLs:

midwestlabradoodle.com/wp-content/plugins/really-simple-captcha/6727156315273.txt
artyouneed.com/wp-includes/theme-compat/6727156315273.txt
artyouneed.com/wp-includes/theme-compat/kaka.txt

These appear to download as a set of malicious scripts [1] [2] [3] which then download a further component from:

bluemagicwarranty.com/wp-includes/theme-compat/getrichtoday.exe

This binary has a detection rate of 3/55. The Malwr report shows that it drops two other files, named as Zlatowef.exe [VT 3/55] and redtytme4.exe [VT 9/55] and it also downloads components from:

38.65.142.12:12551/ON12/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
38.65.142.12:12551/ON12/HOME/41/5/4/ELHBEDIBEHGBEHK


That IP is allocated to Cogent Communications in Mexico. The download is Upatre which means that the payload is almost definitely the Dyre banking trojan, even though the delivery mechanism of a Word document is unusual for Dyre.

Recommended blocklist:
38.65.142.12
midwestlabradoodle.com
artyouneed.com
bluemagicwarranty.com

MD5s:
8d547f5ef829d9033c3eb5d4ce1602c1
5cff4106fd4c393f4b935e8e97277351
21023e02a33ec1d924f489378d1f01d5
e8f2c4845008d3064948ed336c1a9852




Monday, 6 July 2015

Malware spam: "Statement as at 30/06/2015" / "Manchester Accounts [manchester.accounts@hobsrepro.com]" / "blogdynamoocom.exe"

This fake financial spam does not come from Hobs Reprographics plc but instead is a simple forgery with a malicious attachment. The malware also rather cheekily includes a reference to this blog. Привет, ребята!

From:    Manchester Accounts [manchester.accounts@hobsrepro.com]
Date:    6 July 2015 at 07:10
Subject:    Statement as at 30/06/2015

Please find attached statement from HOBS REPROGRAPHICS PLC as at
30/06/2015.

Please note that our payment terms are 30 days.

So far I have only seen one sample, with an attachment named ELLE013006.doc [VT 4/54] which contains this malicious macro [pastebin] which downloads a malicious executable from:

ozelduzensurucukursu.com/253/632.exe

Well, it would do, but in the sample I have there's a syntax error in the URL..

There are usually several versions of the document, probably some of the others work OK. The executable is saved as %TEMP%\blogdynamoocom.exe (see what they did there?) and has a VirusTotal detection rate of 1/50. Automated analysis tools [1] [2] [3] indicates that the malware phones home to:

62.210.214.106 (OVH, France)
93.89.224.97 (Isimtescil, Cyprus)
87.236.215.151 (OneGbits, Lithuania)


The payload to this is almost definitely the Dridex banking trojan.

Recommended blocklist:
62.210.214.106
93.89.224.97
87.236.215.151


MD5:
9daf4c0bca8fbba53517fdab1ef4e16d
1a468423fc391c90a6e4d6c0dbbc085f



Wednesday, 1 July 2015

Malware spam: "Notice of Underreported Income" / "noreply@hmrc.gov.uk"

The second HMRC spam run of the day..

From:    HM Revenue and Customs [noreply@hmrc.gov.uk]
Date:    1 July 2015 at 11:36
Subject:    Notice of Underreported Income

Taxpayer ID: ufwsd-000004152670UK
Tax Type: Income Tax
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax income statement on HM Revenue and Customs ( HMRC ).Download your HMRC statement.
Please complete the form. You can download HMRC Form herc

In this case, the link goes to bahiasteel.com/secure_storage/get_document.html however, the payload is Upatre leading to the Dyre banking trojan, as seen in this other spam run today.

Malware spam: "HMRC taxes application with reference L4TI 2A0A UWSV WASP received" / "noreply@taxreg.hmrc.gov.uk"

This fake tax spam leads to malware:

From     "noreply@taxreg.hmrc.gov.uk" [noreply@taxreg.hmrc.gov.uk]
Date     Wed, 1 Jul 2015 11:20:37 +0000
Subject     HMRC taxes application with reference L4TI 2A0A UWSV WASP received

The application with reference number L4TI 2A0A UWSV WASP submitted by you or your
agent to register for HM Revenue & Customs (HMRC) taxes has been received and will
now be verified. HMRC will contact you if further information is needed.

Please download/view your HMRC documents here: http://quadroft.com/secure_storage/get_document.html

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.d

If you have the correct browser agent (e.g. Internet Explorer 8 on Windows) you will see a "Your document will download shortly.." notice. If you have something else, a fake 404 page will be generated.
The page then forwards to the real HMRC login page but attempts to dump a malicious ZIP from another source at the same time.

In this case, the ZIP file was Document_HM901417.zip which contains a malicious executable Document_HM901417.exe. This has a VirusTotal detection rate of 3/55 (identified as the Upatre downloader).

Automated analysis [1] [2] [3] shows attempted traffic to 93.185.4.90 (C2NET, Czech Republic) and a dropped executable with a random name and an MD5 of ba841ac5f7500b6ea59fcbbfd4d8da32 with a detection rate of 2/55.

The payload is almost definitely the Dyre banking trojan.