Sponsored by..

Thursday, 22 October 2015

Malware spam: "Notice to Appear" / Notice_to_Appear_00800614.zip

This fake legal spam comes with a malicious attachment:

From:    District Court
Date:    22 October 2015 at 19:03
Subject:    Notice to Appear

Notice to Appear,

This is to inform you to appear in the Court on the October 27 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can review complete details of the Court Notice in the attachment.

Sincerely,
Michael Newell,
District Clerk.

Attached is a file Notice_to_Appear_00800614.zip which in turn contains a malicious script Notice_to_Appear_00800614.doc.js which looks like this [pastebin]. This obfuscated script translates into something a bit more understandable which clearly references the following domains:

www.flowarrior.com
www.abama.org
littlefacesofpanama-association.com

The Hybrid Analysis report  shows that it downloads a file as %TEMP%\5883173.exe which has a VirusTotal detection rate of 5/55 (possibly Cridex). It reference the following IPs as being highly suspect:

91.121.108.77 (OVH, France)
78.24.220.229 (TheFirst-RU, Russia)

A large number of IPs are queried according to that report:

66.147.244.241 80 TCP United States
ASN: 46606 (Unified Layer)

Possibly Malicious (Details)
78.24.220.229 80 TCP Russian Federation
ASN: 29182 (ISPsystem, cjsc)
74.231.32.162 80 TCP United States
118.120.73.233 80 TCP China
29.225.112.86 80 TCP United States
100.73.14.38 80 TCP Reserved
58.101.131.47 80 TCP China
123.59.97.196 80 TCP China
166.32.216.239 80 TCP United States
149.91.92.120 80 TCP United States
24.216.168.199 80 TCP United States
105.140.148.131 80 TCP Morocco
163.58.44.144 80 TCP Japan
142.84.237.228 80 TCP Canada
15.108.255.248 80 TCP United States
220.168.3.242 80 TCP China
169.69.97.65 80 TCP United States
136.48.1.199 80 TCP United States
193.224.232.11 80 TCP Hungary
46.156.117.74 80 TCP Norway
15.73.25.4 8080 TCP United States
156.95.94.161 80 TCP United States
2.95.43.213 80 TCP Russian Federation
201.112.96.9 443 TCP Mexico
168.202.241.83 80 TCP Italy
126.200.226.38 80 TCP Japan
218.169.88.145 80 TCP Taiwan; Republic of China (ROC)
25.227.76.74 80 TCP United Kingdom
7.58.91.181 80 TCP United States
2.9.47.33 80 TCP France
82.64.212.187 80 TCP France
160.252.229.129 80 TCP Japan
3.19.211.174 80 TCP United States
206.36.90.112 80 TCP United States
70.162.95.85 80 TCP United States
179.74.44.184 80 TCP Brazil
27.60.28.101 80 TCP India
72.131.92.208 80 TCP United States
192.15.148.68 80 TCP United States
161.183.113.148 80 TCP United States
89.194.8.74 80 TCP United Kingdom
74.60.141.199 443 TCP United States
185.124.201.36 80 TCP Germany
57.254.22.27 80 TCP Belgium
223.212.109.175 443 TCP China
184.128.6.160 80 TCP United States
222.26.8.100 80 TCP China
201.80.124.250 80 TCP Brazil
28.245.107.140 8080 TCP United States
7.205.88.91 80 TCP United States
134.208.174.118 443 TCP Taiwan; Republic of China (ROC)
101.42.94.123 80 TCP China
89.184.155.55 8080 TCP Denmark
73.136.226.227 80 TCP United States
92.242.113.252 80 TCP Ukraine
183.80.180.237 80 TCP Viet Nam
189.217.246.252 80 TCP Mexico
162.124.240.218 80 TCP United States
169.244.37.32 80 TCP United States
121.213.170.136 8080 TCP Australia
91.121.108.77 80 TCP France
161.187.226.73 8080 TCP Canada
160.124.108.194 8080 TCP South Africa
132.201.159.171 80 TCP United States
36.136.60.81 80 TCP China
155.159.37.116 80 TCP South Africa
139.171.227.16 80 TCP United States
119.243.117.9 443 TCP Japan
42.199.100.99 80 TCP China
170.225.41.44 80 TCP United States
27.122.177.126 80 TCP Korea Republic of
151.75.83.209 80 TCP Italy
203.207.191.222 8080 TCP China
208.97.41.75 80 TCP United States
179.184.50.147 80 TCP Brazil
126.155.24.64 80 TCP Japan
86.14.23.181 80 TCP United Kingdom
182.162.87.90 80 TCP Korea Republic of
126.85.62.33 80 TCP Japan
96.60.99.19 80 TCP United States
118.123.163.35 80 TCP China
69.190.137.38 80 TCP United States
49.56.139.124 80 TCP Korea Republic of
135.35.59.201 80 TCP United States
57.25.34.69 80 TCP Belgium
174.190.210.89 80 TCP United States
206.91.83.240 80 TCP United States
16.143.86.194 80 TCP United States
99.212.19.159 80 TCP Canada
171.214.61.169 80 TCP China
194.184.155.135 80 TCP Italy
98.30.91.219 80 TCP United States
30.130.130.227 80 TCP United States
201.231.21.9 80 TCP Argentina
10.85.253.242 8080 TCP Reserved
41.70.25.98 80 TCP Malawi
2.239.93.99 80 TCP Italy
178.216.173.66 80 TCP Ukraine
102.239.48.12 80 TCP Indonesia
170.229.125.27 443 TCP United States
170.202.85.86 80 TCP United States
138.204.51.115 80 TCP Brazil
90.59.134.25 80 TCP France
179.105.47.26 80 TCP Brazil
190.128.247.9 80 TCP Paraguay
62.74.109.148 80 TCP Greece
39.6.23.63 80 TCP Korea Republic of
199.12.247.12 80 TCP United States
1.235.148.23 80 TCP Korea Republic of
128.166.232.112 80 TCP United States
198.12.245.130 80 TCP United States
180.59.204.28 80 TCP Japan
191.205.91.94 443 TCP Brazil
166.97.6.127 80 TCP United States
35.174.179.31 80 TCP United States
202.94.163.179 80 TCP Malaysia
199.2.172.193 80 TCP United States
36.4.249.54 80 TCP China
87.60.146.60 80 TCP Denmark
159.157.156.108 80 TCP United States
41.103.3.7 80 TCP Algeria
190.5.47.228 80 TCP Chile
102.197.139.86 8080 TCP Indonesia
79.181.62.136 80 TCP Israel
196.221.146.64 8080 TCP Egypt
45.215.43.254 80 TCP Zambia
133.50.67.191 443 TCP Japan
197.187.96.58 80 TCP Tanzania United Republic of
81.11.14.8 80 TCP European Union
165.216.148.197 80 TCP United States
26.159.93.175 80 TCP United States
55.192.224.240 80 TCP United States
99.183.118.77 8080 TCP United States
97.132.112.64 80 TCP United States
161.158.216.248 80 TCP Netherlands
171.36.6.24 80 TCP China
86.17.207.59 80 TCP United Kingdom
65.170.164.185 80 TCP United States
203.116.171.38 80 TCP Singapore
81.131.210.206 80 TCP United Kingdom
144.69.59.80 80 TCP United States
108.132.28.175 80 TCP United States
54.173.72.227 80 TCP United States
48.227.99.193 80 TCP United States
165.244.29.101 80 TCP Korea Republic of
61.163.159.70 80 TCP China
141.54.70.120 80 TCP Germany
22.6.129.165 80 TCP United States
16.65.24.201 80 TCP United States
107.66.193.112 80 TCP United States
113.185.128.185 80 TCP Viet Nam
185.242.98.255 80 TCP Germany
39.247.94.231 80 TCP Indonesia
1.136.195.240 80 TCP Australia
176.2.178.107 443 TCP Germany
211.57.175.126 80 TCP Korea Republic of
16.78.184.90 80 TCP United States
121.237.58.132 80 TCP China
45.115.246.94 80 TCP China
42.213.207.250 80 TCP China
202.217.115.34 80 TCP Japan
20.100.36.35 80 TCP United States
73.178.96.229 80 TCP United States
177.85.76.19 80 TCP Brazil
184.148.22.247 80 TCP Canada
153.228.8.191 80 TCP Japan
196.226.207.67 443 TCP Liberia
171.178.119.233 80 TCP United States
175.198.60.5 80 TCP Korea Republic of
196.9.179.56 80 TCP South Africa
20.163.126.33 443 TCP United States
152.223.8.195 80 TCP United States
12.51.242.168 80 TCP United States
197.169.155.191 80 TCP South Africa
95.198.239.136 8080 TCP Sweden
209.93.5.164 80 TCP United States
200.17.48.177 80 TCP Brazil
37.147.149.212 80 TCP Russian Federation
113.201.208.234 80 TCP China
157.219.20.253 80 TCP United States
45.72.49.98 80 TCP United States
87.196.69.215 80 TCP Portugal
141.251.31.43 80 TCP United States
30.28.29.139 8080 TCP United States
211.72.127.114 80 TCP Taiwan; Republic of China (ROC)
126.62.177.152 8080 TCP Japan
67.62.93.143 80 TCP United States
4.219.11.148 80 TCP United States
220.15.135.111 80 TCP Japan
6.193.44.176 80 TCP United States
88.18.235.212 80 TCP Spain
65.235.102.3 80 TCP United States
212.246.252.248 80 TCP Finland
65.44.223.34 80 TCP United States
67.147.184.3 443 TCP United States
218.100.198.67 8080 TCP China
183.74.253.72 443 TCP Japan
189.99.113.170 443 TCP Brazil
202.113.235.65 80 TCP China
78.193.245.197 80 TCP France
20.87.185.21 443 TCP United States
34.94.156.167 80 TCP United States
16.154.131.128 443 TCP United States
112.236.139.20 80 TCP China
37.217.232.246 80 TCP Saudi Arabia

I have not had the change to check those individual IP addresses, but I recommend that you block the following two at least:

91.121.108.77
78.24.220.229 


UPDATE 26/10/15:

A slightly revised version of this is circulating:


Notice to Appear,

This is to inform you to appear in the Court on the November 03 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.

You can review complete details of the Court Notice in the attachment.

Yours faithfully,
Nathan Andrews,
District Clerk.
The attachment is Notice_to_Appear_000314661.zip which contains a file Notice_to_Appear_000314661.doc.js which has a VirusTotal detection rate of 14/55. According to this Hybrid Analysis report it contacts a LOT of IPs, but these in particular should be blocked:

67.199.5.184 (CrystalTech Web Hosting, US)
78.24.220.229 (TheFirst-RU, Russia)
189.131.94.156 (UniNet, Mexico)
74.10.19.66 (Knox Attorney Service Inc., US)


The following files are dropped (VT reports) [1] [2] [3]

Recommended blocklist:
67.199.5.184
78.24.220.229
189.131.94.156
74.10.19.66

  ssf

Malware spam: "Water Services Invoice" / "UUSCOTLAND@uuplc.co.uk" (again)

This fake invoice does not comes from United Utilities Scotland, but is instead a simple forgery with a malicious attachment. It is very similar to this spam sent a few days ago.

From     "UUSCOTLAND" [UUSCOTLAND@uuplc.co.uk]
Date     Thu, 22 Oct 2015 19:30:13 +0700
Subject     Water Services Invoice

Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of
22 September 2015 to 22 October 2015.

If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk.

Kind regards

Melissa

Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)
Melissa.lears@uuplc.co.uk
Unitedutilitiesscotland.com


EMGateway3.uuplc.co.uk made the following annotations
---------------------------------------------------------------------
The information contained in this e-mail is intended only
for the individual to whom it is addressed. It may contain
legally privileged or confidential information or otherwise
be exempt from disclosure. If you have received this Message
in error or there are any problems, please notify the sender
immediately and delete the message from your computer. You
must not use, disclose, copy or alter this message for any
unauthorised purpose. Neither United Utilities Group PLC nor
any of its subsidiaries will be liable for any direct, special,
indirect or consequential damages as a result of any virus being
passed on, or arising from the alteration of the contents of
this message by a third party.

United Utilities Group PLC, Haweswater House, Lingley Mere
Business Park, Lingley Green Avenue, Great Sankey,
Warrington, WA5 3LP
Registered in England and Wales. Registered No 6559020

www.unitedutilities.com
www.unitedutilities.com/subsidiaries
So far I have seen three different versions of the attachment, all named 22 October 2015 Invoice Summary.doc with detection rates of about between 4/55 and 7/55 at VirusTotal [1] [2] [3] containing one of these malicious macros [1] [2] [3].

Analysis of the documents is pending, but one key indicator is that the file appears to be saved as %TEMP%\bluezone3.exe. Check back later for updates.

UPDATE 1:
This VirusTotal report also identifies the following download locations:

beauty.maplewindows.co.uk/t67t868/nibrd65.exe
dtmscomputers.co.uk/t67t868/nibrd65.exe
namastetravel.co.uk/t67t868/nibrd65.exe 


This file has a VirusTotal detection rate of 2/54 and that report indicates network traffic to:

198.74.58.153 (Linode, US)

Further analysis is pending, in the meantime I suggest that you block traffic to the above IP.

MD5s:
782a72da42da3fe9bd9e652dd08b968a
5dad04118f9f26e1d5fcc457c52aeebb
6c7e84f91bd27b7252e0eccfb00b896d
7be71a7317add5bff876a9e5a04fcba1

Wednesday, 21 October 2015

Fake job offer: helicoptersjob.com

This job offer is a fake:

From:    victim@victimdomain.com
To:    victim@victimdomain.com
Date:    21 October 2015 at 14:35
Subject:    Staff Wanted

Good day!

We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

Our firm specializes in consultation services in the matter of bookkeeping and business administration.
We cooperate with different countries and currently we have many clients in the US.
Due to this fact, we need to increase the number of our destination representatives' regular staff.

In their duties will be included the document and payment control of our clients.
Part-time and full-time employment are both currently important.
We offer a flat wage from $1000 up to $3,000 per month.

If you are interested in our offer, mail to us your answer on conrade@helicoptersjob.com and we will send you an extensive information as soon as possible.

Respectively submitted
Personnel department

The email appears to originate from the recipients own email address,  but this is just a forgery and is nothing to worry about.

The job being offered is actually part of a criminal organisation, such as money laundering or some other fraud such as a parcel reshipping scam.

The domain helicoptersjob.com was registered just today to a registrant in China. It is connected with several other long-running job scams going back several years. Avoid.

Malware spam: "INVOICE FOR PAYMENT - 7500005791" / "Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]"

This fake financial spam is not from Lancashire Police but is a simply forgery with what appears to be a malicious attachment.

From:    Whitehead, Lyn [Lyn.Whitehead@lancashire.pnn.police.uk]
Date:    21 October 2015 at 10:15
Subject:    INVOICE FOR PAYMENT - 7500005791

Hello

Please find attached an invoice that is now due for payment.

Regards

Lyn

Lyn Whitehead (10688)
Business Support Department - Headquarters

Email: Lyn.Whitehead@lancashire.pnn.police.uk

********************************************************************************************

This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments, without retaining a copy.

Lancashire Constabulary monitors its emails, and you are advised that any e-mail you send may be subject to monitoring.

This e-mail has been scanned for the presence of computer viruses.

******************************************************************************************** 
The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending.

The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive.

Other analysis is pending please check back.

UPDATE 1:
Another version of this is in circulation, also with zero detections at VirusTotal.  The Hybrid Analysis for both samples in inconclusive [1] [2].

UPDATE 2:
An analysis of the documents shows an HTTP request to:

ip1.dynupdate.no-ip.com:8245

All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise.

UPDATE 3:
All the attachments I have seen so far are corrupt, with an extra byte at the beginning (thanks). If you opened it and got a screen like this:

Source: Malwr.com
..then you are not infected. Incidentally, this only infects Windows PCs anyway.

The "fixed" malicious documents have a detection rate of about 6/56 [1] [2] [3] - analysis of these documents is pending, although I can tell you that they create a malicious file in %TEMP%\HichAz2.exe.

UPDATE 4:
The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros [example] in the document download a binary from the following locations:

www.sfagan.co.uk/56475865/ih76dfr.exe
www.cnukprint.com/56475865/ih76dfr.exe
www.tokushu.co.uk/56475865/ih76dfr.exe
www.gkc-erp.com/56475865/ih76dfr.exe

At present this has a zero detection rate at VirusTotal (MD5 7f0076993f2d8a4629ea7b0df5b9bddd). Those reports in addition to this Malwr report indicate malicious traffic to the following IPs:

89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
119.47.112.227 (Web Drive Ltd, New Zealand)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
157.252.245.49 (Trinity College Hartford, US)


The payload is probably the Shifu banking trojan.

Recommended blocklist:
89.32.145.12
119.47.112.227
195.154.251.123
157.252.245.49

Tuesday, 20 October 2015

Malware spam: "Shaun Buzzard [shaunb@hubbardproducts.com]" / "Order"

This fake financial spam does not come from Hubbard Products but is instead a simple forgery with a malicious attachment:

From     Shaun Buzzard [shaunb@hubbardproducts.com]
Date     Tue, 20 Oct 2015 16:05:55 +0530
Subject     Order

Hi ,
Please find attached order.

Kind regards.
Shaun Buzzard

Hubbard Products Limited
Hillview, Church Road, Otley, Suffolk. IP69NP
Registered in England No. 6217134

Email: shaunb@hubbardproducts.com
DDI: 01473892216

Fax: 01473890687


Important Email Information :
The information contained in this email is confidential and may be legally privileged.
This email is intended to be viewed initially only by the named individual or legal
entity. If the reader of this email is not the intended recipient or a representative
of the intended recipient, you are hereby notified that any reading, dissemination
or copying of this email or of the information contained herein is prohibited. If
you have received this email in error please immediately notify the sender by return,
delete this email and destroy any hard copies immediately. Thank you

The attachment is named lp22_20151013_164535.doc and I have seen the following MD5s:

608D1733D6E47C7BEE187C1EE890D6E3
C6CD52B59FC772EDDE4DF5D4058524FE
001415839B511361BC429C379892065D


The payload is the Dridex Shifu banking trojan, as seen in this spam run earlier today.

Malware spam: "Purchase Order No: 48847" / "Harminder Saund"

This fake financial spam comes with a malicious payload:

From     Harminder Saund [MinSaund77@secureone.co.uk]
Date     Tue, 20 Oct 2015 16:08:53 +0700
Subject     Purchase Order No: 48847

Attached is a copy of our Purchase Order number 48847

==============
Harminder Saund

Secure One
==============

The sender's email address varies slightly, for example:

MinSaund77@secureone.co.uk
MinSaund92@secureone.co.uk
MinSaund94@secureone.co.uk
MinSaund013@secureone.co.uk

Attached is a file PO_48847.DOC which I have seen two different versions of so far (VirusTotal [1] [2]) each containing a slightly different malicious macro [1] [2]. There are probably different versions of the document with different macros.

Automated analysis is pending, however the payload is most likely the Dridex banking trojan. Please check back for updates.

MD5s:
c6cd52b59fc772edde4df5d4058524fe
001415839b511361bc429c379892065d

UPDATE:
So far, three download location have been identified..

ladiesfirst-privileges.com/656465/d5678h9.exe
papousek.kvalitne.cz/656465/d5678h9.exe
pmspotter.wz.cz/656465/d5678h9.exe

This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56 (MD5 e4bb8a66855f6987822f5aca86060f2c). The Hybrid Analysis reports [1] [2] indicate that it calls home to:

fat.uk-fags.top / 188.166.250.20 (Digital Ocean, Singapore)

I recommend that you block traffic to that IP.

The payload has been reported to be Shifu, not Dridex.

Malware spam: "GOMEZ SANCHEZ"[postmail@bellair.net]

This spam comes with a malicious attachment:

From     "GOMEZ SANCHEZ"[postmail@bellair.net]
To    
Date     Tue, 20 Oct 2015 13:14:56 +0430
Subject     victim@victimdomain.tld

Congratulations

Print out the attachment file fill it and return it back by fax or email

Yours Sincerely

GOMEZ SANCHEZ
The "Subject" is the victim's own email address. Attached is a file FINAL NOTIFICATION.xls which comes (so far) in three different variants (VirusTotal [1] [2] [3]) contains one of these three malicious macros [1] [2] [3] .

Analysis of the payload is pending, but is likely to be the Dridex banking trojan. Please check back later.

MD5s:
24d9cd4caca15882dc4f142b46a16622
9a10c47dcdd28017afeec5aca2c71191
d63f6150b45227c20901ee887062d8de

UPDATE:

Sources say that the payload is Shifu, not Dridex. So far, three download location have been identified..

ladiesfirst-privileges.com/656465/d5678h9.exe
papousek.kvalitne.cz/656465/d5678h9.exe
pmspotter.wz.cz/656465/d5678h9.exe

This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56 (MD5 e4bb8a66855f6987822f5aca86060f2c). The Hybrid Analysis reports [1] [2] indicate that it calls home to:

fat.uk-fags.top / 188.166.250.20 (Digital Ocean, Singapore)

I recommend that you block traffic to that IP.

Monday, 19 October 2015

Malware spam: "COS007202" / "Stephanie Greaves [sgreaves@btros.co.uk]"

This fake financial spam does not come from Bombardier Transportation but is instead a simple forgery with a malicious attachment:

From     "Stephanie Greaves" [sgreaves@btros.co.uk]
Date     Mon, 19 Oct 2015 12:06:42 +0430
Subject     COS007202

Good morning,

Please see attached purchase order.

Kind regards,

Stephanie Greaves


Administration Apprentice
Bombardier Transportation (Rolling Stock) UK Ltd
Electronics, Cabling, & Interior Division
Litchurch Lane, Derby, DE24 8AD
Attached is a file COS007202.doc which comes in at least three different versions (VT results [1] [2] [3]) each containing a slightly different malicious macro [1] [2] [3] [pastebin].

Analysis of the documents is pending, but they will almost definitely drop the Dridex banking trojan. Please check back later.


UPDATE:
According to these Hybrid Analysis reports [1] [2] [3] , those macros download from the following locations:

euroagroec.com/35436/5324676645.exe
demo9.iphonebackstage.com/35436/5324676645.exe
webmatique.info/35436/5324676645.exe


The binary they download has a VirusTotal detection rate of 3/56 and is saved as %TEMP%\CrowSoft1.exe. Both the VirusTotal and Hybrid Analysis reports show what looks like malicious traffic going to:

157.252.245.49 (Trinity College Hartford, US)

I recommend that you block traffic to that IP.

MD5s:
1de3889fde95e695adf6eadcb4829c6d
7ae379d02b72d5768cc07f4241def163
d9cd6d350cde885bd9c0171b6a56ee52
aea40296ee7eb0c73ae488b918572481

Thursday, 15 October 2015

Malware spam: "[Scan] 2015-10-14 5:29:54 p.m." / "Ray White [rw@raylian.co.uk]"

This rather terse spam email has a malicious attachment. It does not come from Raylian but is instead a simple forgery.

From     Ray White [rw@raylian.co.uk]
Date     Thu, 15 Oct 2015 10:56:35 +0200
Subject     [Scan] 2015-10-14 5:29:54 p.m.

Amanda's attached.

In the only sample I saw, the attachment was named 2015-10-14 5-29-54 p.m..doc which has a VirusTotal detection rate of 4/56 and which contains this malicious macro [pastebin] . The Hybrid Analysis report shows this particular version (there will be others) downloading a binary from:

sdhstribrnalhota.xf.cz/86575765/6757645.exe

Despite the apparently random name, this is a real business website (SDH Stříbrná Lhota) that has been compromised. This binary has a detection rate of just 2/56 and is saved as %TEMP%\CrowSoft1.exe. The Hybrid Analysis report for this indicates connections to:

89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)


The payload appears to be the Dridex banking trojan, still going strong despite reports of arrests in the crime gang responsible.

Recommended blocklist:
89.32.145.12
195.154.251.123

MD5s:
30e1ad13b091ec24935724ed0abf62ca
bc571b3cfa8902da248420ba5e765a40

Monday, 12 October 2015

Q: Who is StockTips.com? A: Adrian Thomas of Euro Ventures SA

I've seen spam allegedly from StockTips.com a few times (such as here and here). I have no solid evidence that the people running StockTips.com are responsible for the spam, but last time I looked at them I was frustrated by the lack of transparency.

It turns out that a mistake by the owners of StockTips.com may have revealed their identities. The StockTips.com registration is normally hidden by Moniker Privacy Services, but at the end of August it seems that the service wasn't running, revealing the apparent identity of the owner:

Registrant Name: Adrian Thomas
Registrant Organization: EuroVentures S.A.
Registrant Street: 10, Route de l'Aeroport
Registrant City: Geneva
Registrant State/Province: Geneva
Registrant Postal Code: 1215
Registrant Country: CH
Registrant Phone: +41.797459914
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: athomas@pan-euro.pl


It turns out that I'd missed an older non-private entry in the WHOIS data too..

ADRIAN THOMAS athomas@pan-euro.pl
Euro Ventures S.A.
10, Route de l'Aeroport
Word Trade Center
Geneva
Geneva
1215
CH
Phone: +41.227990800
Fax:   +41.227990801


Using this information we can piece together a set of related domains:

  • stocktips.com
  • stocktipsemail.com
  • euroventures.com
  • madblitz.com
  • growthpicks.com
  • investors4cash.com
  • investors4cash.net
  • investors4cash.org
  • evreit.com
  • cheuramconsultinggroup.com
  • cheurgrp.com
  • stellargains.com
  • stocktradehotline.com
  • topbusinessdaily.com
"Mr Thomas" is on LinkedIn..


A slightly different haircut and beard, but it is the same person on euroventures.com..

Am I saying that Mr Thomas (if that is his real name) is a spammer? No.. I have no evidence to show that the spam I have seen actually comes from StockTips.com (they deny sending out spam). But it's always good to see the sort of person who is giving you financial advice.. even if they don't want you to find out.

Pump and Dump spam: SAFSD / Safer Shot, Inc

This illegal pump-and-dump spam is trying to promote a failed stock SAFSD / Safer Shot, Inc:

From     "StockTips.com" [paul@stocktips.com]
Date     Mon, 12 Oct 2015 14:59:09 +0200
Subject     My newest stock tip is here

Statler here.

My NEWEST MONSTER PICK is - Safer Shot Inc. And they trade under the tickersymbol
- SAFSD orSAFS

I don’t know if you know this, but technically, 0.0001 is the lowest that astock
can trade at on the open market…

0.0001 is THE FLOOR!

So it stands to reason, if you get in at the ground level (THE FLOOR ), thestock
CANNOT go lower.

So technically you have limited your downside.

Go buy SAFSD NOW and quadruple your money quick!
There is a slightly different version of the spam with the same body text but a different sender..

From     "StockTips.com" [Alerts@subpenny.com]
Date     Mon, 12 Oct 2015 21:16:49 +0330
Subject     My newest stock tip is here
For a technical analysis of just how shitty this stock is, this write-up at Hot Stocked explains it nicely. The company is worth virtually nothing, but by virtue of having an astonishing 1.16 trillion shares issues at 0.0001 cents each (the lowest a share can trade at), it has a completely unrealistic market capitalisation of $116 million. This is basically a ridiculously stupid way to manipulate the markets and quite how they are allowed to do it is a mystery.

The point of this spam is to try to get the stock price to move even just a little bit, so somebody who holds a substantial amount can try to make some money off some suckers who will lose pretty much everything they put in.

Hot Stocked notes that this is a "promoted stock" but there is no guarantee that StockTips.com is actually sending out this tsunami of spam. So far I have seen 500+ unique IP addresses which have the characteristics of an illegal botnet.

Whoever is sending out these spam messages is breaking the law. Anybody who tries to invest in this stock is likely to lose out. Remember, despite the claim that a 0.0001 cannot go any lower.. if the company folds, then they will probably be worth precisely nothing. Avoid.

Update:
StockTips.com categorically denies any involvement..



 ..but because I have looked into StockTips.com before I had another look to try and deduce who the mystery owner is and discovered the apparent site operator.

Malware spam: "Water Services Invoice" / "UUSCOTLAND@uuplc.co.uk"

(Note, an updated version of this spam run happened on 22nd October)

This fake financial email is not from United Utilities but is instead a simple forgery with a malicious attachment:

From     "UUSCOTLAND" <UUSCOTLAND@uuplc.co.uk>
Date     Mon, 12 Oct 2015 17:12:12 +0530
Subject     Water Services Invoice

Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of
12 September 2015 to 12 October 2015.

If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk<mailto:uuscotland@uuplc.co.uk>.

Kind regards

Melissa

Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)
Melissa.lears@uuplc.co.uk<mailto:Melissa.lears@uuplc.co.uk>
Unitedutilitiesscotland.com


EMGateway3.uuplc.co.uk made the following annotations
---------------------------------------------------------------------
The information contained in this e-mail is intended only
for the individual to whom it is addressed. It may contain
legally privileged or confidential information or otherwise
be exempt from disclosure. If you have received this Message
in error or there are any problems, please notify the sender
immediately and delete the message from your computer. You
must not use, disclose, copy or alter this message for any
unauthorised purpose. Neither United Utilities Group PLC nor
any of its subsidiaries will be liable for any direct, special,
indirect or consequential damages as a result of any virus being
passed on, or arising from the alteration of the contents of
this message by a third party.

United Utilities Group PLC, Haweswater House, Lingley Mere
Business Park, Lingley Green Avenue, Great Sankey,
Warrington, WA5 3LP
Registered in England and Wales. Registered No 6559020

www.unitedutilities.com
www.unitedutilities.com/subsidiaries

Attached to the email is a file 12 October 2015 Invoice Summary.doc which comes in at least four different versions (VirusTotal results: [1] [2] [3] [4]) which contain a macro that looks like this example. Download locations spotted so far are:

ukenterprisetours.com/877453tr/rebrb45t.exe
eventmobilecatering.co.uk/877453tr/rebrb45t.exe
thewimbledondentist.co.uk/877453tr/rebrb45t.exe
cardiffhairandbeauty.co.uk/877453tr/rebrb45t.exe


All those download locations are on UK sites, but there are three apparently unrelated IP addresses in use:
46.20.120.64
109.108.129.21
213.171.218.221

This is saved as %TEMP%\gicage.exe and has a VirusTotal detection rate of just 1/56.  That VirusTotal report and this Malwr report indicate traffic to:

149.210.180.13 (TransIP BV, Netherlands)
86.105.33.102 (Data Net SRL, Romania)


I would recommend blocking traffic to both those IPs. The payload is the Dridex banking trojan.

Recommended blocklist:
149.210.180.13
86.105.33.102

MD5s:
6a95b030e91e804f73d14d14cb26e884
04e1476d464fafa559bd1bd8ea38749c
f7389b47c3dbe57f24dafb3b9a7818a2
b4b7a46938f9965169ca1dad29d2d8fc
40d4c1771caba32a2a25e4236f80b548





Malware spam: "Insurance" / "accounts@nolettinggo.co.uk"

This spam does not come from No Letting Go but is instead a simple forgery with a malicious attachment.

From     [accounts@nolettinggo.co.uk]
Date     Mon, 12 Oct 2015 11:43:16 +0330
Subject     Insurance

Dear all

Please find attached insurance paperwork including EL certificate.  Invoices
will follow at the beginning of November.

Regards

Karen
In the only sample I have seen so far, the attachment name is SKMBT_C36014102815580.doc which has a VirusTotal detection rate of 8/56. This particular document contains this malicious macro [pastebin] which downloads a malware component from the following location:

ukenterprisetours.com/877453tr/rebrb45t.exe 

The usual pattern is that there are several different versions of the document downloading from different locations, but the payload is the same in all cases. This binary is saved as %TEMP%\gicage.exe and has a detection rate of 2/56.

That VirusTotal report and this Hybrid Analysis report show network traffic to:

149.210.180.13 (TransIP BV, Netherlands)

I strongly recommend that you block or monitor traffic to this IP. The payload is the Dridex banking trojan.

MD5s:
6b0c1290d653a4f92a6214a9c91bd23b
04e1476d464fafa559bd1bd8ea38749c
  

Saturday, 10 October 2015

Scam: "Jim Bing [jim.bing@cn-registry.cn]" / "Huayin Ltd"


This email is part of a long-running Chinese domain scam:
From:    Jim Bing [jim.bing@cn-registry.cn]
Date:    10 October 2015 at 13:52
Subject:    Re:"slimeware"





Dear CEO,
(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.

We received an application from Huayin Ltd on October 9, 2015. They want to register " slimeware " as their Internet Keyword and " slimeware .cn "、" slimeware .com.cn " 、" slimeware .net.cn "、" slimeware .org.cn " 、" slimeware .asia " domain names etc.., they are in China and Asia domain names. But after checking it, we find " slimeware " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?


Best Regards,

Jim
General Manager 
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cn-registry.cn

Slimeware.com is an ancient site of mine that parodies adware companies. I doubt very much that anyone is trying to use this as a domain name for a legitimate business, and I couldn't care less if they did anyway. In fact, what is happening here is that the scammer "Jim Bing" (is he related to Terry Google?) is just trying to get you to panic and buy and overpriced and worthless domain name.

It's a pretty common scam, and I have explained the basics in the video below..


Friday, 9 October 2015

Malware spam: "Your latest DHL invoice : MSE7396821" / "e-billing.uk1@dhl.com"

This fake invoice spam is not from DHL, but is instead a simple forgery with a malicious attachment:

From:    e-billing.uk1@dhl.com
Date:    9 October 2015 at 09:54
Subject:    Your latest DHL invoice : MSE7396821



THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY

Dear Customer,

Please find attached your invoice in DOC format, dated 09/09/2015 for shipments and services supplied by DHL Express.

If you would like to download your invoice in a different format, click here to go to the DHL e-Billing website. You can also view your account details and on line invoice history here.

In the event of a problem with opening the attachment, please contact the e-Billing support team on 020 8831 5363 for assistance.

If you would like to verify the digital signature on this invoice, click here to go to the DHL e-Billing website and go to the FAQ section for instructions.

For all invoice content related queries, please contact 08442 480 777.

We look forward to receiving your payment in due course, and within the agreed credit terms as stated on your invoice.

We would like to thank you for using the services of DHL Express.

With kind regards,

The DHL e-Billing team


PROTECT YOUR PASSWORD

In the only sample I have seen, the attached file is named MSE7396821.doc and has a VirusTotal detection rate of 5/55. This contains a malicious macro [pastebin] which downloads a file from the following location:



flexicall.co.uk/fsf4fd32/8ik6sc.exe

There will undoubtedly be different versions of the document with different download locations. This binary is saved as %TEMP%\vtsAbd.exe and has a VirusTotal detection rate of 2/54. That VirusTotal report, this Malwr report and this Hybrid Analysis report show network traffic to:

86.105.33.102 (Data Net SRL, Romania)

I recommend that you block traffic to and from that IP address. The payload appears to be the Dridex banking trojan.

MD5s:
79b6080e3c2de566ee7c284a64f62a40
31f6d50a5757d5b5ba24a6f5dab01567

Thursday, 8 October 2015

Malware spam: "Deposit Payment" / "Frederico Kessler [Frederico.Kessler@Gamesys.co.uk]"

This fake financial email does not comes from Frederico Kessler but is instead a simple forgery with a malicious attachment:

From     Frederico Kessler [Frederico.Kessler@Gamesys.co.uk]
Date     Thu, 08 Oct 2015 04:14:23 -0700
Subject     Deposit Payment

Hi,

Attached is receipt of transfer regarding the deposit increase for our new contract
to the Cherry Tree Cottage.
Let me know if its all sorted.

Frederico Kessler
Product Owner | Games Platform
[cid:9DCD81C9-9267-4802-AAE1-B3AF9887E131]
[gamesysign]
4th Floor, 10 Piccadilly
London, W1J 0DD

Email: frederico.kessler@gamesys.co.uk

Attached is a malicious Excel document named Payments Deposit.xls which comes in five different versions (so far) [1] [2] [3] [4] [5] each containing a slightly modifed macro [example] which downloads a malicious executable from the following locations:

archives.wnpvam.com/bvcb34d/983bv3.exe
swaineallen.uk/bvcb34d/983bv3.exe
katastimataone.com/bvcb34d/983bv3.exe
vsehochuti.unas.cz/bvcb34d/983bv3.exe
dmedei.3x.ro/bvcb34d/983bv3.exe


These download locations have been in use for a couple of other spam runs [1] [2] but now the payload has been altered and has a VirusTotal detection rate of 3/56.  That VirtusTotal report and this Hybrid Analysis report show traffic to:

198.61.187.234 (Rackspace, US)

I recommend that you block traffic to that IP.

MD5s:
5bddf5271b1472eca61a6a2d66280020
8df205eff019378f33c7b512f81a2087
aa93cbf333d1dcaf1408207938dbd5c3
d7a5bf7ae458e3584a01d1c5df0186db
59cd64d7e98f71870b6746ecb4b31b40
fa31f4fced30b9b1a720f4072afde32d


Malware spam: "Invoice for Payment" / "CivicaReports@plymouth.gov.uk"

This fake invoice spam foes not come from Plymouth City Council but is instead a simple forgery with a malicious attachment.

From     [CivicaReports@plymouth.gov.uk]
Date     Thu, 08 Oct 2015 14:03:31 +0400
Subject     Invoice for Payment

THIS IS A POST-ONLY EMAIL. PLEASE DO NOT REPLY TO THIS MESSAGE. THIS
EMAIL ADDRESS
IS NOT MONITORED FOR RESPONSES.

From: Plymouth LIVE SYSTEM (New)

Please find attached your invoice for payment in accordance with our
agreed terms and conditions.

The invoice is sent in PDF format. Double click on the attachment to
open the file.

PDF files require Adobe Acrobat Reader to view them. Download Adobe
Acrobat Reader
free of charge from the Adobe website at www.adobe.com/products/reader


For enquiries specifically relating to this invoice, please e-mail :
incomes@plymouth.gov.uk

This e-mail is confidential and intended for the exclusive use of the
addressee.

Any views or opinions expressed in this e-mail do not necessarily
represent those of Plymouth City Council, and are not to be relied upon
without subsequent written confirmation by an authorised representative.
If you are not the addressee, any disclosure, reproduction,
distribution, forwarding, or other dissemination or use is strictly
prohibited. If you have received this e-mail in error please notify the
Plymouth City Council Transaction Centre (incomes) helpdesk on 01752
304443

Plymouth City Council, The Civic Centre, Armada Way, Plymouth, PL1 2AA.

Telephone : 01752 668000 Website : www.plymouth.gov.uk
There are at least four different version of the document in circulation, each containing a malicious macro. Download locations spotted so far are:

katastimataone.com/bvcb34d/983bv3.exe
vsehochuti.unas.cz/bvcb34d/983bv3.exe
swaineallen.uk/bvcb34d/983bv3.exe
archives.wnpvam.com/bvcb34d/983bv3.exe


The payload is exactly the same as used in this spam run.

MD5s:
bb4d2d606091de154e81e292036981c8
80fba8c6b4947cea3d55cef66515d70f
1f5d975dedd140e62f794993792d906b
de413dd09e70e1dc48c5060afe3f87f0
70570b4d1806a25414959d7967bb542f

Malware spam: "Receipt from Norfolk Dance" / "[info@norfolkdance.co.uk]"

This fake financial email is not from Norfolk Dance but is instead a simply forgery with a malicious attachment:

From     "info" [info@norfolkdance.co.uk]
Date     Thu, 08 Oct 2015 12:39:28 +0300
Subject     Receipt from Norfolk Dance

Please find receipt for payment attached.

Many Thanks

Norfolk Dance
14 Chapel Field North
Norwich
Norfolk
NR2 1NY
Telephone: 01603 283399
E mail: info@norfolkdance.co.uk
Attached is a file Receipt.doc which I have seen in two different versions (VT detection rate 4/56 and 3/56) each containing a different malicious macro [1] [2] [Pastebin] which download a malicious binary from one of the following locations:

katastimataone.com/bvcb34d/983bv3.exe
archives.wnpvam.com/bvcb34d/983bv3.exe


This is saved as %TEMP%\fDe12.exe and currently has a VirusTotal detection rate of 4/55. The VirusTotal report indicates traffic to the following IP:

198.61.187.234 (Rackspace, US)

I recommend that you block traffic to this IP. Automated analysis is pending (check back later) but the payload is almost definitely the Dridex banking trojan.

MD5s:
bb4d2d606091de154e81e292036981c8
80fba8c6b4947cea3d55cef66515d70f
1f5d975dedd140e62f794993792d906b
de413dd09e70e1dc48c5060afe3f87f0
70570b4d1806a25414959d7967bb542f


Update:
The Hybrid Analysis report for the DOC file is here, and their analysis of the executable is available here with a Malwr report also here.

Wednesday, 7 October 2015

Malware spam: "Scanned document from MX-2600N"

This fake scanned document has a malicious payload attached.:

From:    xerox@victimdomain.tld
Reply-To:    xerox@victimdomain.tld
Date:    7 October 2015 at 10:08
Subject:    Scanned document from MX-2600N


Reply to: xerox@victimdomain.tld victimdomain.tld
>
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set

File Format: XLS MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned document in XLS format.
Use Microsoft(R)Excel(R) to view the document.Attached is a file in the format xerox@victimdomain.tld_20151007_160214.xls (where victimdomain.tld is the victim's own domain), which has a VirusTotal detection rate of 3/56. This Excel file contains a malicious macro [pastebin] which in THIS case downloads a binary from the following location:

alarmtechcentral.com/fw43t2d/98kj6.exe

There will be other versions of the XLS file which will download components from other locations, however the payload will be the same, and it currently has a detection rate of 2/56. The VirusTotal report indicates traffic to:

84.246.226.211 (ELB Multimedia, France)

Blocking traffic to and from that IP is recommended.

Automated analysis is pending, please check back later. The payload is probably the Dridex banking trojan.

UPDATE
Here are the Hybrid Analysis reports for the XLS file and executable.