Sponsored by..

Friday, 18 September 2015

E.ON "You've got mail" spam

I haven't used E.ON for a couple of years, and I no longer have an account with them. So I was surprised to get this E.ON-themed spam. Is it malware? No, it really is E.ON spamming me..

------------
From:    E.ON Energy [eon@eonenergy.com]
Reply-To:    "E.ON Energy" [eon@eonenergy.com]
Date:    17 September 2015 at 19:02
Subject:    You've got mail

You've got mail.
If you are having trouble viewing this email, you can view it here.

E.ON

You've got mail

Dear Conrad Longmore

Thanks for letting us know you'd like us to send you information by email.

What does this mean for me?
You'll receive contact from us by email instead of through the post. We're introducing our emails gradually, so you'll still get a few things through the post until we're all up and running.
What kind of things will you send me?
We'll only send you important information that you need to know about your account, including:



  • Changes to Direct Debit payments, if you've chosen to pay this way.



  • Asking for meter readings



  • Reminding you about any appointments you have  with us.



  • Reminding you about paying for the energy you've used, if you haven't already told us when
  • you're going to pay.



  • Anything else we think you'll need to know about your service from us.
  • Don't worry, we won't send you information to sell you anything, unless you've already told us we can.
    What if I change my mind?
    Visit our website and let us know.
    If you change your mind, we'll still send you reminders by email if you've not paid us what you owe.
    As you're an online customer, we'll also still send you an email when your bill is ready to view and other emails related to your online account you automatically get when you've signed up online.
    If you've got questions about your account or anything else, click here. You won't get through to us by replying to this email.
    Yours sincerely

    E.ON Customer Services


    Helping our customers. We're on it. E.ON

    twitter
    Facebook
    Follow us on Facebook and Twitter and keep up to date.


    Disclaimer Notice
    This email has been sent by E.ON Energy Solutions Limited. While we have checked this email and any attachments for viruses, we cannot guarantee that they are virus-free. You must therefore take full responsibility for virus checking.

    This message and attachments are confidential and should only be read by those to whom they are addressed.
    If you are not the intended recipient, please contact us, delete the message from your computer and destroy any copies. Any distribution or copying without prior permission is prohibited.

    Internet communications are not always secure and therefore E.ON does not accept legal responsibility for this message. The recipient is responsible for verifying its authenticity before acting on the contents. Any views or opinions presented are solely those of the author and do not necessarily represent those of E.ON.

    Registered Address
    E.ON Energy Solutions Limited. Registered office: Westwood Way, Westwood Business Park, Coventry, CV4 8LG. Registered in England and Wales No. 3407430.

    CONSENT CSS

    Ooookay. So it's a phish or malware, right? Well, in this case floating over the links clearly shows an eonenergy.com domain, rather than something malicious. And at least E.ON have shown good practice by using their own domain rather than some random tracking domain that others do.

    It's been a long time since I logged onto E.ON because these days I generate all my electricity from a secondhand Russian nuclear reactor plucked from a rusty submarine that I have buried under the lawn.

    Logging on to my account gives this message..

    And from that point onwards there is nothing at all that I can do. I can't turn off the E.ON spam because I don't have an account with them!

    It's probably 15 years or so since I registered on E.ON.. when I registered it was part of TXU, then PowerGen which then became E.ON. So if you have registered an account with any of those companies in the past decade and a half, then you might get this spam from E.ON, even if you closed your account a long time ago..

    UPDATE:
    E.ON have posted some information about the cock-up and an apology here.

    Thursday, 17 September 2015

    Malware spam: hrwfmailerprod@lancashire.gov.uk / REFURBISHMENT

    This fake financial spam (presumably) comes in several different variants (I saw two):

    From     "Workflow Mailer" [hrwfmailerprod@lancashire.gov.uk]
    To     hp_printer@victimdomain.com
    Date     Thu, 17 Sep 2015 12:16:26 GMT
    Subject     FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)


    From             Mabel Winter
    To             hp_printer@victimdomain.com
    Sent             Thu, 17 Sep 2015 12:12:26 GMT
    ID             7216378
    Number             6767609,1
    Title             Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT

    Negotiation Preview Immediately upon publishing
    Negotiation Open Immediately upon publishing
    Negotiation Close September 21, 2015 10:00 am GMT
    Company R.R. Donnelley & Sons Company
    Subject ITT Clarifications
    To view the message, please open attachment. 
    The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55.

    The payload appears to be Upatre/Dyre as seen earlier today.

    Malware spam: "Shell E-Bill for Week 38 2015"

    This fake financial spam comes with a malicious attachment:

    From     [invoices@ebillinvoice.com]
    To     administrator@victimdomain.com
    Date     Thu, 17 Sep 2015 11:10:15 GMT
    Subject     Shell E-Bill for Week 38 2015

    Customer No         : 28834
    Email address       : administrator@victimdomain.com
    Attached file name  : 28834_wk38_2015.PDF

    Dear Customer,

    Please find attached your invoice for Week 38 2015.

    In order to open the attached PDF file you will need
    the software Adobe Acrobat Reader.

    For instructions of how to download and install this
    software onto your computer please visit
    http://www.adobe.com/products/acrobat/readstep2.html

    If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.

    Yours sincerely

    Customer Services

    ======================================================
    This email, its content and any files transmitted with
    it are confidential and intended solely for the use of
    the individual(s) to whom it is addressed.
    If you are not the intended recipient, be advised that
    you have received this email in error and that any use,
    dissemination, forwarding, printing or copying of
    this email is strictly prohibited.
    ======================================================

    Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you block or monitor that IP.

    MD5:
    0d9c66ffedce257ea346d2c7567310ac

    Wednesday, 16 September 2015

    Malware spam: "Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/"

    This fake Lloyds Bank spam comes with a malicious payload:

    From:    RSTNAME} Crabtree [Chang.Crabtree@lloydsbankcommercial.com]
    Date:    15 September 2015 at 13:18
    Subject:    Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/

    Please find attached our document pack for the above customer. Once completed please return via email to the below address.

    If you have any queries relating to the above feel free to contact us at

    MN2Lloydsbanking@lloydsbankcommercial.com
    Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 7117152. Telephone: 0845 603 1637

    Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

    Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

    Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

    HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC453043.

    This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.

    In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56), containing this malicious macro. The macro attempts to download components from the following locations:

    thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/66836487162.txt
    thebackpack.fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/sasa.txt
    obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/66836487162.txt
    obiectivhouse.ro/wp-content/plugins/maintenance/load/images/fonts-icon/sasa.txt

    A further download  then takes place from:

    vandestaak.com/css/libary.exe

    This has a detection rate of 3/56. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run (automated analysis is pending).

    Recommended blocklist:
    197.149.90.166
    vandestaak.com
    thebackpack.fr
    obiectivhouse.ro

    MD5s:
    4b944c5e668ea9236ac9ab3b1192243a
    1939eba53a1289d68d1fb265d80e60a1

    Malware spam: "HSBC SecureMail" / "You have received a secure message"

    This fake HSBC email message has a malicious payload:


    From:    HSBC SecureMail [HSBCRepresentative_WilliamsBlankenship@hsbc.co.uk]
    Date:    16 September 2015 at 13:13
    Subject:    You have received a secure message


    You have received a secure message
    Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the HSBC Secure Mail Help Desk.
    First time users - will need to register after opening the attachment.
    About Email Encryption - http://www.hsbc.co.uk/secureemail


    HSBC_Payment_87441653
    16K
    Attacked is a file HSBC_Payment_87441653.zip which in turn contains a malicious executable HSBC_Payment_87441653.exe, this has a VirusTotal detection rate of 4/56.

    UPDATE: The Hybrid Analysis report shows network traffic to a familiar Nigerian IP of 197.149.90.166 which I strongly recommend you block. The traffic pattern is indicative of Upatre dropping the Dyre banking trojan.

    MD5:
    359f0c584d718f44e9777e259f013031

    Monday, 14 September 2015

    Spam from "Vanessa Reynolds" / vanessa.reynolds@breedandco.com

    This spam does not seem to have a malicious payload, but is likely sent out by the same people who send out Upatre/Dyre malware spam (or possible Dridex):
    From     "Vanessa Reynolds" [vanessa.reynolds@breedandco.com]
    Date     Fri, 14 Sep 2015 10:34:32 GMT
    Subject     Hello, how are you?

    Hello, Calvin  how are you?
    The name after "Hello" varies in each version, for example:

    Hello, Sheldon  how are you?
    Hello, Lawanda  how are you?
    Hello, Thurman  how are you?
    Hello, Darlene  how are you?
    Hello, Rhea  how are you?

    The email is always "from" Vanessa Reynolds / vanessa.reynolds@breedandco.com although this is in fact just a simple forgery and Breed & Co (who are are a hardware store in Texas) are nothing to do with this.

    The purpose of this spam is unknown. One possibility is that the spammers are probing mail servers for responses (to enumerate valid mailboxes). The other is that this could be a targeted attack on Breed & Co by disrupting email and other means of communication.

    Some sending IPs for the record:
    175.111.117.26
    82.208.233.93
    85.100.114.244
    103.1.69.172
    111.196.186.87
    202.134.161.161

    Friday, 11 September 2015

    Malware spam: "Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva" / reports@officeteam.co.uk

    This fake financial spam comes with a malicious payload:
    From     "reports@officeteam.co.uk" [reports@officeteam.co.uk]
    Date     Fri, 11 Sep 2015 10:39:32 GMT
    Subject     Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva

    Please find attached your sales order acknowledgement

    Order No: EF150085
    Account: PFM895
    Your Reference: 14 /Geneva
    Web Reference:
    Kind Regards
    Office Team
    In the only sample I have seen there was an attachment SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows that amongst other traffic, it communicates with a familiar Nigerian IP of 197.149.90.166 (Cobranet).

    In this case, the payload is Upatre downloading the Dyre banking trojan.

    MD5:
    0a7e68a84765d639210b77575c2373bd

    Thursday, 10 September 2015

    Malware spam: "New Fax - 3901535011" / "UK2Fax" [fax2@fax1.uk2fax.co.uk]

    This fake fax spam comes with a malicious attachment:

    From     "UK2Fax" [fax2@fax1.uk2fax.co.uk]
    Date     Thu, 10 Sep 2015 14:07:11 +0100
    Subject     New Fax - 3901535011

    UK2Fax Fax2Email : New fax attached, received at 10/09/2015 10:26:29 GMT
    Attached is a file Fax-3901535011.zip which in turn contains a malicious executable Fax-800312316.scr which is exactly the same Upatre/Dyre payload as seen it this attack also seen today.

    Malware spam: "Payroll Received by Intuit" / "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]

    This fake payroll spam does not come from Intuit, but instead contains a malicious attachment:

    From     "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]
    Date     Thu, 10 Sep 2015 06:32:37 -0500
    Subject     Payroll Received by Intuit

    Dear, petrol
    We received your payroll on Sep 10, 2015 at 09:01.

    Attached is a copy of your Remittance. Please click on the attachment in order to
    view it.

    Please note the deadlines and status instructions below:

    If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be
    paid two (2) banking days from the date received or on your paycheck date, whichever
    is later. 

    If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking
    days from the date received or on your paycheck date, whichever is later. 

    YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.

    Funds are typically withdrawn before normal banking hours so please make sure you
    have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.

    Intuit must receive your payroll by 5 p.m., two banking days before your paycheck
    date or your employees will not be paid on time. 

    Intuit does not process payrolls on weekends or federal banking holidays. A list
    of federal banking holidays can be viewed at the Federal Reserve website.

    Thank you for your business.

    Sincerely,

    Intuit Payroll Services

    IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
    concerning your current service, software, or billing. Please note that if you previously
    opted out of receiving marketing materials from Intuit, you may continue to receive
    notifications similar to this communication that affect your service or software.

    If you have any questions or comments about this email, please DO NOT REPLY to this
    email. If you need additional information please contact us.

    If you receive an email message that appears to come from Intuit but that you suspect
    is a phishing email, please forward it to immediately to spoof@intuit.com.

    © 2014 Intuit Inc. All rights reserved. Intuit and the Intuit Logo are registered
    trademarks and/or registered service marks of Intuit Inc. in the United States and
    other countries. All other marks are the property of their respective owners, should
    be treated as such, and may be registered in various jurisdictions.

    Intuit Inc. Customer Communications
    2800 E. Commerce Center Place, Tucson, AZ 85706 
    Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56. The Hybrid Analysis report shows traffic patterns that are consistent with the Upatre downloader and Dyre banking trojan.

    In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block traffic to.

    MD5:
    4dbdf9e73db481b001774b8b9b522ebe

    Tuesday, 8 September 2015

    ipserver.su, 5.133.179.0/24 and 212.38.166.0/24

    A follow-up to this post, I took a look at the netblocks 5.133.179.0/24 and 212.38.166.0/24 suballocated to:

    person:         Oleg Nikol'skiy
    address:        British Virgin Islands, Road Town, Tortola, Drake Chambers
    phone:          +18552100465
    e-mail:         abuse@ipserver.su
    nic-hdl:        ON929-RIPE
    mnt-by:         IPSERVER-MNT
    changed:        abuse@ipserver.su 20150528
    created:        2015-05-28T11:11:09Z
    last-modified:  2015-05-28T11:11:09Z
    source:         RIPE


    I'm going to say straight away that my methodology is flawed, but I will share what I have. Very many IPs in this range have hosted badness in the past year-and-a-bit (e.g. 5.133.179.165), mostly using subdomains.. to the extent that there are too many sites to analyse easily if I take the data from a passive DNS service.

    Instead, I elected to use the DomainTools reverse DNS which limits the results to domains only (not subdomains) and these are mostly active sites. Running the list through my analyser checks that the IPs are valid, and would normally tell me things such as the Google Safebrowsing Diagnostics and SURBL rating.

    Here's what is odd. None of the sites that I found [pastebin] have a negative reputation, I would expect to see about 1% in a normal sample, and out of 399 sites it comes back with zero. In fact, none of these sites seem to have any web presence at all, and all the ones that I have tried come back with almost no references on Google at all.

    I am going to suggest that there is nothing of value in these IP ranges, and given that historically .SU domains have a bad reputation, then my suggestion is that you block traffic to:

    5.133.179.0/24
    212.38.166.0/24

    In the meantime I will continue digging..

    Monday, 7 September 2015

    Something evil on 184.105.163.192/26 / White Falcon Communications / Dmitry Glazyrin

    So.. I spotted some Nuclear EK (or some other Flash exploit) traffic on our network which attracted my interest. The IP in question was 184.105.163.243 hosted on what appears to be a Hurricane Electric IP. Personally, I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range 184.105.163.192/26 suballocated to:

    contact:ID;I:POC-DC-1258
    contact:Auth-Area:contacts
    contact:Class-Name:contact
    contact:Name:Dmitry Glazyrin
    contact:Company:White Falcon Communications
    contact:Street-Address:3-758 Riverside Dr
    contact:City:Port Coquitlam
    contact:Province:BC
    contact:Postal-Code:V3B 7V8
    contact:Country-Code:CA
    contact:Phone:+1-510-580-4100


    The next step was to query the range using DNSDB to see what has been hosted there. This came back with several thousand sites that have been hosted there in the past, the following of which are still hosted in the 184.105.163.192/26 range now..

    bilettver.ru
    ituslugi-ekb.ru
    kerept.ru
    porno-gt.com
    pornosup.com
    redkrab.com
    vgubki.com
    erotubik.com
    autowagen.ru
    decoitalcolor.ru
    jimbobox.ru
    kr-enot.ru
    alemanas.ru
    dynamo-energia.ru
    master-lesa.ru
    kinoprosmotra.net
    multi-torrent.com
    pl-games.ru
    voyeur-hard.com
    fishemania.com
    learnigo.ru
    qazashki.net
    surfus.ru
    mysuppadomainname.gq
    kinoprosmotrov.net
    multtracker.com
    kyricabgr.tk
    onlyhdporno.com
    stat-irc.tk
    white-wolves.tk
    blondescript.com
    dc-dcbcf352.hotvideocentral.com
    wishfishworld.com
    5ka.info
    igro-baza1.ru
    igro-baza2.ru
    igro-baza3.ru
    igro-baza4.ru
    igro-baza5.ru
    kinorelizov.net
    torrent-mult.com
    trailer-games.ru
    vvpvv10.ru
    vvpvv9.ru
    todoke.ru
    glazikvovana.cf
    glazikvovana.ga
    glazikvovana.gq
    glazikvovana.ml
    glazikvovana.tk
    glazikvovki.cf
    glazikvovki.ga
    glazikvovki.gq
    glazikvovki.ml
    glazikvovki.tk
    popochkavovana.cf
    popochkavovana.ga
    popochkavovana.gq
    popochkavovana.ml
    popochkavovana.tk
    popochkavovki.cf
    popochkavovki.ga
    popochkavovki.gq
    popochkavovki.ml
    popochkavovki.tk
    resnichkavovana.cf
    resnichkavovana.ga
    resnichkavovana.gq
    resnichkavovana.ml
    resnichkavovana.tk
    resnichkavovki.cf
    resnichkavovki.ga
    resnichkavovki.gq
    resnichkavovki.ml
    resnichkavovki.tk
    samaragss.ru
    wechkavovana.cf
    wechkavovana.ga
    wechkavovana.gq
    wechkavovana.ml
    wechkavovana.tk
    wechkavovki.cf
    wechkavovki.ga
    wechkavovki.gq
    wechkavovki.ml
    wechkavovki.tk
    zalypkavovana.ml
    zalypkavovana.tk

    zalypkavovki.cf
    zalypkavovki.ga
    zalypkavovki.gq
    zalypkavovki.ml
    zalypkavovki.tk
    zybikvovana.cf
    zybikvovana.ga
    zybikvovana.gq
    zybikvovana.ml
    zybikvovana.tk
    zybikvovki.cf
    zybikvovki.ga
    zybikvovki.gq
    zybikvovki.ml
    zybikvovki.tk
    staffrc.com
    stopudof.com
    35igr.ru
    adandc.ru
    avgyst.ru
    comedy24.ru
    e7ya.ru
    funrussia.ru
    ladykafe.ru
    med-cafe.ru
    mykazantip.ru
    ohotaforum.ru
    powerpoint-ppt.ru
    sibledy.ru
    turistvip.ru
    ya-pisatel.ru
    kypitest.ru
    anykadavai.tk
    forwarditaly.org
    getyourimesh.com
    mymobi.ml
    yellowfrance.org

    Sites that are flagged as malware by Google are highlighted and these are all hosted on 184.105.163.243. But what was interesting was what White Falcon Communications have been hosting in the past. When I ran the entirety of all the sites from DNSDB through my checker, I got some interesting results* [csv].

    Out of 2867 sites analysed, 1973 (69%) sites had either hosted malware or were spammy. Some of the unrated sites are clearly phishing sites (e.g. usabanksecurity.com). Although these sites are not hosted on White Falcon Communications IPs now, they all have been at some point in the past.

    So, who is this outfit? Well, it didn't take to come up with a couple of news stories, firstly this one where White Falcon had been raided by police in Canada in connection with C2 infrastructure for the Citadel botnet. That was followed by this story where White Falcon was allegedly suing law enforcement back, due to alleged "negligence".

    However, given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking traffic to 184.105.163.192/26 to be on the safe side.

    * fields are domain name, current IP address, MyWOT ratings, Google Safebrowsing rating, SURBL status.

    Malware spam: "Credit Note CN-60938 from Stilwell Financial Inc" / "message-service@post.xero.com"

    This fake financial spam comes with a malicious payload.
    From:    Accounts [message-service@post.xero.com]
    To:    hp_printer@victimdomain.com
    Date:    7 September 2015 at 11:55
    Subject:    Credit Note CN-60938 from Stilwell Financial Inc for victimdomain.com (0178)

    Hi Boris,

    To download your credit note CN-60938 for 401.04 GBP please follow the link below : https://get.xerofiles.com/[snip]

    This has been allocated against invoice number

    If you have any questions, please let us know.

    Thanks,
    Stilwell Financial Inc

    In the only sample I saw, the download location for a file at xerofiles.com which came up with a 403 error. This domain belongs to an accounting service called Xero, it is unclear if they were actually hosting the malware or if there is some error in the spam email itself.

    Somewhat interestingly, the bad guys have attempted to forge the mail headers to make it looks like it comes from Xero itself.
    Received: from 78.187.120.220.static.ttnet.com.tr (unknown [95.9.34.122])
        by [redacted] (Postfix) with ESMTP id 74F50400BE;
        Mon,  7 Sep 2015 11:59:12 +0100 (BST)
    Received: from mail2.go.xero.com (198.61.155.105) by
     GCN5B9ZDBKTFX.mail.protection.outlook.com (10.997.33.92) with Microsoft SMTP

     Server id 05.9.975.7 via Frontend Transport; Mon, 7 Sep 2015 12:55:16 +0200
    From: Accounts <message-service@post.xero.com>
    To:  hp_printer@[redacted]
    Date: Mon, 7 Sep 2015 12:55:16 +0200
    Subject: Credit Note CN-60938 from Stilwell Financial Inc for [redacted] (0178)
    MIME-Version: 1.0
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    Content-Transfer-Encoding: 7bit
    X-Mailer: aspNetEmail ver 3.5.2.0
    Message-ID: <504359-L45H474JYDT96LCSOCCGF9O9R1IXJTQ2949EW0C2@xero.com>
    The fake parts of the headers are highlighted. The actual sending IP is 95.9.34.122 in Turkey. I don't know what the payload is in this case as the download location doesn't work, it will most likely be some sort of banking trojan.

    Malware spam: "Companies House" [WebFiling@companieshouse.gov.uk]

    This spam does not come from Companies House, but is instead a simple forgery with a malicious attachment:

    From     "Companies House" [WebFiling@companieshouse.gov.uk]
    Date     Mon, 7 Sep 2015 12:40:01 +0100
    Subject     RE: Case 0676414

    The submission number is: 0676414

    For more details please check attached file.

    Please quote this number in any communications with Companies House.

    All Web Filed documents are available to view / download for 10 days after their
    original submission. However it is not possible to view copies of accounts that
    were downloaded as templates.

    Companies House Executive Agency may use information it holds to prevent
    and detect fraud. We may also share such information, for the same purpose,
    with other Organizations that handle public funds.

    If you have any queries please contact the Companies House Contact Centre
    on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

    Note: This email was sent from a notification-only email address which cannot
    accept incoming email. Please do not reply directly to this message.

    Companies House
    4 Abbey Orchard Street
    Westminster
    London
    SW1P 2HT
    Tel +44 (0)303 1234 500  

    The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file.

    This executable has a detection rate of 4/56. The Hybrid Analysis report shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre.

    MD5:
    f1d62047d22f352a14fe6dc0934be3bb

    Friday, 4 September 2015

    Malware spam: "RE:resume" aka "What happened to your files?" / Cryptowall 3.0

    This fake résumé spam leads to ransomware:

    From:     fredrickkroncke@yahoo.com
    Date:    5 September 2015 at 03:50
    Subject:    RE:resume
    Signed by:    yahoo.com

    Hi my name is Teresa Alexander attach is my resume
    Awaiting your prompt reply

    Kind regards

    Teresa Alexander
    The attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:



    Protected Document
    This document is protected by Microsoft Office.
    Please enable Editing and Content to see this document.

    Can’t view? Follow the steps below.
    Open the document in Microsoft Office. Previewing online does not work for protected documents.
    If you downloaded this document from your email, please click “Enable Editing” from the yellow bar above.
    Once you have enabled editing, please hit “Enable Content” on the yellow bar above.
    Following these steps would be a Very Bad Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56.

    The Hybrid Analysis report shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:

    46.30.46.117 [Eurobyte LLC, Russia)
    186.202.153.84 (gaiga.net)
    192.186.235.39 (satisgoswamicollege.org)
    52.88.9.255 (entriflex.com)
    23.229.143.32 (eliasgreencondo.com)

    Blocking those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56.

    Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report)


    This further references another bunch of domains that you might want to block, especially in a corporate environment:

    namepospay.com
    optiontosolutionbbs.com
    optionpay2all.com
    democraticash.com


    This further Hybrid Analysis report on the dropped binary also identifies the following malicious site:

    68.178.254.208 (erointernet.com)

    Incidentally, it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr.es - although this is not a malcious site, you can consider it to be a potential indicator of compromise.

    The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.

    Recommended blocklist:
    46.30.46.0/24
    gaiga.net
    satisgoswamicollege.org
    entriflex.com
    eliasgreencondo.com
    erointernet.com
    namepospay.com
    optiontosolutionbbs.com
    optionpay2all.com
    democraticash.com

    MD5s:
    d6b3573944a4b400d6e220aabf0296ec
    5b311508910797c91cc9c9eb4b4edb0c


    DYNAMOO®

    DYNAMOO® is a registered trade mark :)


    Tuesday, 1 September 2015

    Malware spam: "Complaint of your Internet activity"

    This spam comes with a malicious attachment:

    From:    Margret Kuhic
    Date:    1 September 2015 at 16:10
    Subject:    Complaint of your Internet activity

    This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.

    Margret Kuhic
    Dynamic Communications Agent
    T: 1-679-732-5379
    F: 100.173.9045
    All the sames I have seen have a corrupt attachment which is Base 64 encoded, it is possible that other people might receive a valid attachment though. The attachment was meant to be 723296788_Marquardt-Bailey_Margret Kuhic.zip containing the malicious executable june_stiedemannmolestiae.et.exe which has a VirusTotal detection rate of 2/56.

    This Hybrid Analysis report shows it to be just another variant of Update / Dyre with the same characteristics as the malspam seen earlier today, sending traffic to an IP that I suggest you block or monitor:

    197.149.90.166 (Cobranet, Nigeria)

    Some other subjects spotted include:
    Complaint notification 50646
    Infringement of your Internet activity
    Infringement notification 51494


    Malware spam: "Private message notification 41447" / "Adrien Abbott"

    This spam comes with a malicious attachment:
    From:    Adrien Abbott
    Date:    1 September 2015 at 12:34
    Subject:    Private message notification 41447

    You've received a private message. Please open the attached to view it.

    Adrien Abbott
    Chief Tactics Executive
    home: 1-583-761-3793
    work: 380.022.2492
    twitter: @nicole
    skype: nicole
    messenger: nicole
    I have only seen a single sample of this spam, and the attachment was not formatted properly making it harmless, however other variants could be more dangerous. If properly decoded, the attachment should have been named 89867740_Torphy and Sons_Adrien Abbott.zip containing a malicious executable jodie_okonofficia-quo.exe. This executable has a VirusTotal detection rate of just 2/56, the Hybrid Analysis report shows network activity consistent with this being Upatre dropping the Dyre banking trojan, with communications made to:

    197.149.90.166 (Cobranet, Nigeria)

    ..which is an IP that has been used several time for this sort of attack recently and is worth blocking. The report details other IP addresses too, but this seems to be the key one to block or monitor.

    MD5:
    7c94abe2e3b60f8a72b7358d50d04ee0

    Sunday, 30 August 2015

    WARNING: projectmanagementinternational.org / "Project Management International" aka Patty Jones and Anthony Christopher Jones

    "Project Management International" (projectmanagementinternational.org) appears to be another website run by Patty Jones (aka Patchree Patchrint) and Anthony Christopher Jones of California.

    These so-called training courses run by the Joneses are promoted through spam and have a terrible reputation. One BBB report for a previous incarnation of this scheme sums up many of the complaints that I have seen:

    Grant Funding USA advertised a 3-day grant writing workshop for non-profit professionals to be held November 12-14 at the Georgetown Law School campus in Washington DC. The course was described as an overview of the grant writing process and concluding with a certificate in professional grant writing. The cost was $495. My organization paid the fee, I received a confirmation email. I received a credit card authorization letter requesting authorization; we completed and submitted it. I spoke with an individual over the phone confirming my registration. I received a registration packet (about 15 pages) with suggestions for preparation and materials to bring to the course. On the first day, November 12, I arrived at Georgetown Law at 8 AM. The guard was unaware of our course and was working on figuring out where we needed to be (there were 7 other students). After about 45 minutes, we all received an email from the organization Grant Funding USA that said our instructor had fallen ill and they were working on securing a substitute instructor to start the class by the afternoon.At 1pm, we received an email from the same email address saying that they were unable to secure a substitute for Wednesday, but class would begin promptly at 8am on Thursday. I called the number for the organization multiple times and continually got their voicemail. On Thursday, November 13 at 8AM, I arrived at Georgetown again, and found the other students in the lobby upset and confused. The guard was unaware of the course and said he had no information for us. He directed me to the Georgetown Student Life office (who would have been responsible for securing the space). They informed me that Georgetown has never heard of Grant Funding USA nor has a relationship with them. There was no workshop scheduled to be held on their campus. Grant Funding USA has not answered my numerous calls or emails. Other participants fooled by this scam were from Smithsonian Institute and State Gov't of New Jersey.
    This story seems to be echoed over and over again. A venue is booked at a prestigious location, but changed at the last minute. The person taking the course very often seems to be ill and doesn't turn up. Sometimes an ill-prepared substitute teacher is found, but has difficulty being paid. Calls to the so-called institute are either not answered or met with hostility. Read the comments for more stories such as this.

    On to this particular scheme called "Project Management International" which should not be confused with many reputable organisations of a similar name, using the domain projectmanagementinternational.org which just frames another site at ipmam862026.sitebuilder.name.com. The "ipma" part of the name is significant as I will mention later. The site is promoted through spam email such as the one found here:

    Project Management Certification Course (July 28-31, 2015: University of Southern California)

    The Project Management Certification Course will be offered July 28 - 31, 2015 at the University of Southern California in Los Angeles, CA . Project management professionals, business and technology professionals, students, and educators are invited to register at the Project Management International website here .

    July 28 - 31, 2015
    University of Southern California

    Los Angeles, California

    The PMCC is designed for those seeking professional project management certification. It serves as both a thorough professional education and recognized certification. Those seeking additional credentials such as the PMP®/PgMP®, PMI-SP®, and PMI-RMP® will benefit from this dynamic and interactive work session, while those currently holding credentials will find the certification to be an enhancement as well as the most up to date advanced professional development. 

    Project Management Masters Certification program provides 36 hours of project management education, meeting education requirements for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. Additionally, the Master Certification provides 36 Professional Development Units (PDUs) for current holders of PMP®/PgMP®, PMI-SP®, and PMI-RMP® credentials.

    The program meets the education requirement for all professional designations through the Project Management Institute and other professional agencies. Additionally, the program awards 3.6 Continuing Education Units (CEUs) upon request.

    Program Description

    Our certificate program teaches technical and business professionals how to master the critical skills of project management techniques as part of their technical career development.

    The skills developed in the Project Management Masters Certification program apply to large and small projects, product design and development efforts, construction projects, IT projects, software development, and any project with critical performance, time, and budget targets. 

    Our approach to project management education offers proven, results-focused learning.

    Courses are developed and facilitated by professional subject experts with extensive industrial experience. Course emphasis is on providing practical skills and tools supported by relevant case examples.

    Tuition

    Tuition for the four-day Project Management Certification Course is $995.00

    Program Schedule and Content
    1. Project Initiation, Costing, and Selection, Day 1
    2. Project Organization and Leadership, Day 2
    3. Detailed Project Planning, Day 2 and 3
    4. Project Monitoring and Control, Day 3 and 4
    5. Project Risk and Stakeholder Management, Day 4 

    Benefits
    ·   A Project Management International Certificate of Accomplishment is awarded upon completion of the four day program of five courses. Completion letters are given for each course.
    ·   Our instructors have extensive industrial experience. They focus on providing you with practical skills and tools using relevant case examples.
    ·   Each class is highly focused and promotes maximum interaction.
    ·   You can network with other project management professionals from a variety of industries.
    ·   Earn Professional Development Units (PDUs) for maintenance of certification under the PMI Continuing Certification Requirements Program.
    ·    Applicants for PMI's Certified Associate in Project Management (CAPM)® and Project Management Professional (PMP) certifications will have met all education requirements for eligibility.

    Registration

    Participants may reserve a seat online at the Project Management International website, by calling the Program Office toll-free at (800) 288-8387, or by sending their name and contact information via email to the Program Registrar .

    Upon receiving your registration, a confirmation email is sent to registrants that include session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements.

    To unsubscribe from this mailing list, simply reply to this message and write EXCLUDE to be removed from future notices.

    The site is generic looking but fairly smart:


    It lists some upcoming courses:
    August 25 - 28, 2015: University of Houston
    September 22- 25, 2015: University of Miami
    October 6-9, 2015: University of Southern California  

    The domain was registered on May 20th 2015 to an anonymous registrant. The site itself lists no contact details on the Contact page:


    It appears to be using an email address of "info@projectmanagementinternational.org" for correspondence, but a look at the underlying HTML tells a different story:
    <h4> If you have any additional questions, simply email us directly at  <a href="mailto:info@grantfundingusa.org?subject=ContactUS"> </a> <a href="mailto:grantfundingusa@gmail.com?subject=Contact+Us" target="_self" title="info@thefundinginstitute.org">info@projectmanagementinternational.org </a>  and our coordinators will respond to you directly.  </h4>
    The underlying code references both info@grantfundingusa.org and grantfundingusa@gmail.com (the organisation mentioned in the BBB report I mentioned earlier) and which is the same site I warned about a year ago. The only other contact details on the site are a telephone number of 800-288-8387.

    The "About Project Management page" features some generic text about Project Management:


    The text is almost identical to the defunct website Institute of Program Management America (IPMA) that I mentioned last year. If you remember, this new website also uses "IPMA" in its underlying URL (ipmam862026.sitebuilder.name.com) which also links the two schemes. A RipOffReport for IPMA also shows the same pattern as before.

    There is little doubt that this is the same scheme as mentioned in all my previous posts on the activities of Jones and Patchrint. My personal recommendation is that you give this "Project Management International" a very wide berth, and if you feel that you have been defrauded then you would be doing a lot of people a favour if your pursued them aggressively. Also, if you have any positive (or negative) experiences then sharing them in the Comments would be appreciated.

    Thursday, 27 August 2015

    Malware spam: "Payslip for period end date 27/08/2015" / "noreply@fermanagh.gov.uk"

    This spam does not come from Fermanagh District Council. Of course it doesn't. It is instead a simple forgery with a malicious attachment:

    From:    noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
    Date:    27 August 2015 at 12:28
    Subject:    Payslip for period end date 27/08/2015

    Dear administrator

    Please find attached your payslip for period end 27/08/2015

    Payroll Section

    Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly.

    This executable has a detection rate of 3/56 and the Hybrid Analysis report indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking.

    MD5:
    fdea30868df48bff9e7c2b2605431d23

    Wednesday, 26 August 2015

    Malware spam: "RE:resume" leads to Cryptowall

    This fake resume spam has a malicious payload. I got part way through decrypting it to discover that @Techhelplistcom had done all the hard bits which saved me some effort. This particular spam delivers a version of the Cryptowall ransomware.

    In the only sample I saw, the spam looks like this:

    From:    emmetrutzmoser@yahoo.com
    To:   
    Date:    26 August 2015 at 23:29
    Subject:    RE:resume
    Signed by:    yahoo.com

    Hi! my name is Janet Ronald it is my resume!Awaiting your prompt reply

    Best regards

    Janet Ronald
    Attached was a file Janet_Ronald_resume.doc [VT 5/56] which (of course) contains a malicious macro that looks like this [pastebin].

    The format of this message is very similar to this other fake resume spam seen recently, and a key feature here is that the message is really sent through Yahoo! and is not a forgery.

    Deobfuscating the macro shows that a file is downloaded from http://46.30.46.60/444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report shows some of this in action, but Techhelplist did the hard work of decrypting it..


    To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report which has some nice screenshots.

    Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:

    46.30.46.60 (Eurobyte, Russia)
    linecellardemo.net / 23.229.194.224 (GoDaddy, US)

    You might want to block the entire 46.30.46.0/24 range because.. well, Russia really.

    MD5s:
    41177ea4a2c88a2b0d320219389ce27d
    d1e23b09bb8f5c53c9e4d01f66db3654