Sponsored by..

Monday, 21 December 2015

Malware spam: "INVOICE" / "Brenda Howcroft [accounts@swaledalefoods.co.uk]"

This fake financial spam does not come from Swaledale Foods but is instead a simple forgery with a malicious attachment.

From:    Brenda Howcroft [accounts@swaledalefoods.co.uk]
Date:    21 December 2015 at 10:46
Subject:    INVOICE

Your report is attached in DOC format. To load the report, you will need the free Microsoft® Word® reader, available to download at http://www.microsoft.com/


Many thanks,

Brenda Howcroft
Office Manager

t 01756 793335 sales
t 01756 790160 accounts


cid:377F41D9-BDEF-4E30-A110-21CFAAA1D908@home


This email transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient or have received this e-mail in error please delete it immediately and notify the sender, Any disclosure including copying or distribution of the information contained herein is strictly prohibited. Any opinions, instructions or advice contained in this email may not necessarily be those of the company. Although this email and any attachments are believed to be free of any virus or other defects, which might affect any computer or system it is the responsibility of the recipient to ensure they are virus free. E&OE.


Invoice 14702.doc
83K

Attached is a file Invoice 14702.doc which comes in at least 9 different versions (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8] [9]). I haven't had the chance to analyse them, but my sources say that at least some versions download from the following locations:

110.164.184.28/jh45wf/98i76u6h.exe
getmooresuccess.com/jh45wf/98i76u6h.exe
rahayu-homespa.com/jh45wf/98i76u6h.exe

This dropped file has a detection rate of 6/54. The Hybrid Analysis report plus some other sources indicate network traffic to:

199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)


The payload is the Dridex banking trojan.

MD5s:
6932A004CE3AD1AD5EA30F43A31B0285
49CF8C70BC4E94F6887ED0CBC426F08C
92B1F1B4BBD864411FA75C951D28EC5D
E4CB705754C93645D3F86F8AF9307769
D409889F92DA9B8D855C0037894A46CC
87CA159B9AEB127F698D2AA28A5BAAC5
C770760C66298301D1BE29E85ECBE971
F2FF5FCE2836025E97691937D6DF579E
6617EAB5B4DD17247DFF1819CA444674
EE57F929672651C1AE238EB7C7A0D734


Recommended blocklist:
199.7.136.88
151.80.142.33
202.69.40.173
78.47.66.169

Thursday, 17 December 2015

Malware spam: "Your new PHS documents are attached" / "PHSOnline [documents@phsonline.co.uk]"

This convincing-looking fake financial email does not come from PHS, but is instead a simple forgery with a a malicious attachment:

From:    PHSOnline [documents@phsonline.co.uk]
Date:    17 December 2015 at 11:48
Subject:    Your new PHS documents are attached



 
 
 
Delivery of new PHS document(s)
 
 
Dear Customer
 
Due to a temporary issue with delivering your document(s) via your online account, please find the attached in DOC format for your convenience.
 
We apologize for you being unable to view your accounts and documents online in the usual manner. Please note that, in the interim, we will continue to deliver documents in this manner until the issue is fully resolved.
 
Regards
 
PHS Group
 
To ensure that you continue receiving our emails, please add documents@phsonline.co.uk to your address book or safe list.
 
 
Contact us
Connect with PHS: Twitter   Facebook
 
 
This email was sent by Personnel Hygiene Services Limited - a member of the PHS Group. This company is registered in England & Wales to the address: PHS Group, Block B, Western Ind Estate, Caerphilly CF83 1XH. Company Reg No: 05384799 VAT No: GB542951438
PHS Logo
 



G-A0287580036267754265.xls
70K

Effectively, this is a re-run of this spam from October.

I have only seen a single sample of this. There is a malicious Excel document attached, G-A0287580036267754265.xls with a VirusTotal detection rate of 4/54. According to the Malwr report this attempts to download a binary from:

infosystems-gmbh.de/65dfg77/kmn653.exe

At present, this download location 404s but other versions of the document will probably have different download locations.  The payload is the Dridex banking trojan, as seen several times today [1] [2] [3] [4].

Malware spam: "Required your attention" leads to Teslacrypt

This spam email has a malicious attachment:

From:    Brittany Quinn
Date:    17 December 2015 at 10:52
Subject:    Required your attention

Dear Partner,

As per your request, we have made special prices for you, which leave us only a very small margin.

Kindly find attached the prices with your personal discount, and if you need anything else, don’t hesitate to contact us.

Our best wishes, The sales team
The sender's name varies from email to email, as does the name of the attachment but it in a format similar to SCAN_PRICES_01106759.zip. Contained within is a malicious obfuscated Javascript with a detection rate of 6/54 which is a bit clear when deobfuscated, and it downloads from:

whatdidyaysay.com/97.exe?1
iamthewinnerhere.com/97.exe?1

This has a detection rate of 3/53. Automated analysis is inconclusive [1] [2] but this is Teslacrypt and is likely to be similar in characteristics to this spam run.



Malware spam: "Your Latest Right Fuel Card Invoice is Attached" / "Right Fuel Card Company [invoice@rightfuelcard.co.uk]"

This fake financial email is not from Right Fuel Card Company but is instead a simple forgery with a malicious attachment.

From:    Right Fuel Card Company [invoice@rightfuelcard.co.uk]
Date:    17 December 2015 at 11:11
Subject:    Your Latest Right Fuel Card Invoice is Attached


Please find attached your latest invoice.

PLEASE ALSO NOTE OUR NEW OPENING HOURS ARE:
Monday - Thursday 9am - 5pm
Friday 9am - 3pm

For a copy of our latest Terms & Conditions please visit www.rightfuelcard.co.uk

Should you have any queries please do not hesitate to call us on 0845 625 0153 (Calls to this number cost 5 pence per minute plus your telephone company's access charge) or via email to info@rightfuelcard.co.uk.

Regards

Customer Services
The Right Fuelcard Company Limited

Attached is a file A01CardInv1318489.xls - at present I only have a single sample of this. VirusTotal is down at the moment so I cannot tell you the detection rate. The Malwr analysis shows behaviour consistent with several Dridex runs going on this morning, with a download from:

infosystems-gmbh.de/65dfg77/kmn653.exe

The payload is the Dridex banking trojan, and is identical to the payload here, here and here.


Malware spam: "Currys PC World [noreply_stores@currys.co.uk]" / "Your eReceipt"

This very convincing-looking email is not from Currys PC World but is instead a simple forgery with a malicious attachment.

From:    Currys PC World [noreply_stores@currys.co.uk]
Date:    17 December 2015 at 08:27
Subject:    Your eReceipt


Currys PC World
Thank you.
Thank you for your purchase from Currys PC World.
Your e-receipt is attached for your records.
We understand that sometimes products need to be returned. You can either return it to your nearest store or call 0344 561 1234 from the UK or 1890 400 001 from the Republic of Ireland to speak to our customer services team to discuss a refund or exchange. Please have your e-receipt number to hand to speed up the process.

Some email mobile apps don't always show attachments. If you can't see the attachment, simply forward this email to another email address to view and save.

Thank you once again from everyone at Currys PC World.
Terms and conditions
You are receiving this service email because you made a purchase from us and requested an electronic copy of your receipt. Please do not reply to this email. If you need to contact us you can do so at: customer.services@currys.co.uk
Currys is a trading name of DSG Retail Limited, Maylands Avenue, Hemel Hempstead, Hertfordshire HP2 7TG, registered in England No. 504877, VAT No. 226659933. © DSG Retail Ireland Ltd, Unit 9A, The Park, Carrickmines, Dublin 18, Ireland Incorporated in Ireland, a private company with issued shares. Registration Number 259460.



e-Receipt.doc
77K
There are a few different versions of the attachment with fairly low detection rates [1] [2] and analysis of those two examples shows that the macro downloads from the following locations:

old.durchgegorene-weine.de/65dfg77/kmn653.exe
www.riucreatives.com/65dfg77/kmn653.exe


The payload here is the Dridex banking trojan and is identical to the one found here and here.

Malware spam: "James Wheatley sent you an document file!" / wheatjam@gmail.com

Poor old James Wheatley is a real person who must have pissed off some Russians somewhere (perhaps it is a Joe Job). This fake WhatsApp spam in his name has a malicious attachment.

From:    James Wheatley [wheatjam@gmail.com]
Date:    17 December 2015 at 09:50
Subject:    James Wheatley sent you an document file!

---
---
Sent by WhatsApp
There seem to be a few variants of the attachment, these have a detection rate of about 4/55 [1] [2] and analysis of those two examples [3] [4] download a malicious binary from:

www.nz77.de/65dfg77/kmn653.exe
old.durchgegorene-weine.de/65dfg77/kmn653.exe


This payload is the same as the one found in this spam run earlier today.


Malware spam: "Email from Transport for London" / noresponse@cclondon.com

This fake TfL spam is meant to have a malicious attachment, but is malformed.

From:    noresponse@cclondon.com
Date:    17 December 2015 at 08:54
Subject:    Email from Transport for London

Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to
read or download this attachment.

If you require Adobe Acrobat Reader this is available at no cost from
the Adobe Website http://www.adobe.com

Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are s=
trictly confidential and may be legally privileged. If you are not the int=
ended recipient any reading, dissemination, copying or any other use or re=
liance is prohibited. If you have received this email in error please noti=
fy the sender immediately by email and then permanently delete the email.
______________________________________________________________________

The attachment is not properly formatted and appears as a Base 64 section of the email. What it should be is a malicious document named FR7000609906.doc which has a VirusTotal detection rate of 4/54.

The Malwr analysis of the document indicates that it downloads from:

www.riucreatives.com/65dfg77/kmn653.exe

This has a detection rate of 3/54 and an MD5 of d5e717617400b3c479228fa756277be1. The Malwr report and Hybrid Analysis  indicate network traffic to:

151.80.142.33 (OVH, France)
117.239.73.244 (Marian International Institute Of Management, India)


The payload is likely to be the Dridex banking trojan.

Recommended blocklist:
151.80.142.33
117.239.73.244

Malware spam: "12/16 A Invoice"

This fake financial spam leads to malware:
From:    Kelley Small
Date:    17 December 2015 at 08:39
Subject:    12/16 A Invoice

Hi,
Please find attached a recharge invoice for your broadband.

Many thanks,
Kelley Small
The sender's name is randomly generated, for example:

Harris Page
Leonel Kramer
Gracie Fuentes
Earlene Aguirre
Jerri Whitfield
Art Keith
Freeman Gregory
Moses Larson
Leanna Fletcher

There is an attachment in the format invoice36649009.doc where the number is randomly generated. This comes in at least six different versions but they do not appear to be uniquely generated (VirusTotal results [1] [2] [3] [4] [5] [6] [7]). Detection rates are close to zero.

The Malwr reports for those documents is a mixed bag [1] [2] [3] [4] [5] [6] [7] is a mixed bag, but overall they spot data being POSTed to:

179.60.144.18/chicken/bacon.php
91.203.5.169/chicken/bacon.php


Sources tell me there is another download location of:

195.191.25.145/chicken/bacon.php

Those IPs are likely to be malicious and belong to:

179.60.144.18 (Veraton Projects Ltd, Netherlands)
91.203.5.169 (Denis Pavlovich Semenyuk / TutHost, Ukraine)
195.191.25.145 (Hostpro Ltd, Ukraine)



They also GET from:

savepic.su/6786586.png

A file karp.exe  is dropped with an MD5 of 1fbf5be463ce094a6f7ad345612ec1e7 and a detection rate of 3/54. According to this Malwr report this communicates with:

80.96.150.201 (SC-Nextra Telecom SRL, Romania)

It's not clear what the payload is, but probably some sort of banking trojan such as Dridex.

MD5s:
1FBF5BE463CE094A6F7AD345612EC1E7
69F7AFB14E0E6450C4D122C53365A048
1A4048FA8B910CE6620A91A630B32CF6
7034285D8AA1EC84CFDFF530069ECF77
E0019B311E0319AB3C79C5CDAF5A067D
D08BC2E90E6BB63FB4AEBA63C0E298F4
3ED7EDC00C2C62548B83BCDAAA43C47A
B9D135801A8008EA74584C3DEB1BE8D4


Recommended blocklist:
80.96.150.201
179.60.144.18
91.203.5.169
195.191.25.145

savepic.su

UPDATE 12/1/16 

The same message format is being used for another attack with a slightly different payload, which is the same as used in this spam run.

Wednesday, 16 December 2015

Malware spam: "Your account has a debt and is past due" leads to Teslacrypt

This fake financial spam comes with an interesting error in the part that is meant to randomly-generate the dollar amount:
From:    Frances Figueroa
Date:    16 December 2015 at 17:22
Subject:    Your account has a debt and is past due

Dear Customer,

Our records show that your account has a debt of $345.{rand(10,99)}}. Previous attempts of collecting this sum have failed.

Down below you can find an attached file with the information on your case.
The value, sender's name and attachment name are randomly generated. The attachment is named in the format SCAN_INVOICE_79608749.zip which contains a malicious script that attempts to download Teslacrypt ransomware from the following locations:

whatdidyaysay.com/80.exe?1
iamthewinnerhere.com/80.exe?1


This has a VirusTotal detection rate of 3/54 and an MD5 of 5c2a687f9235dd536834632c8185b32e. Those download locations have been registered specifically for this purpose (they are not hacked sites) and are hosted on:

176.99.12.87 (Global Telecommunications Ltd., Russia)
185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
5.178.71.10 (Serverius, Netherlands)


The following malicious sites are also hosted on those IPs:

dns1.ojwekhsdfs.in
dns2.ojwekhsdfs.in
whatdidyaysay.com
washawaydesctrucion.com
dns1.mikymaus.in
dns2.mikymaus.in
dns1.saymylandgoodbye.in
dns2.saymylandgoodbye.in
dns2.auth-mail.ru
gammus.com
ifyougowegotoo.com
iamthewinnerhere.com
thewelltakeberlin.com
remarkablyxj.top
sufficientbe.top
domainsgmwills.top
ns2.directly-truimph.com

These automated reports [1] [2] [3] show that the malware calls home to these following legitimate but hacked domains:

sofiehughesphotography.com
goedkoop-weekendjeweg.net
coatesarchitecture.com
hotbizlist.com
adamhughes.in
magaz.mdoy.pro

Recommended minimum blocklist:
176.99.12.87
185.69.152.145
5.178.71.10

whatdidyaysay.com
iamthewinnerhere.com

Malware spam: "Unpaid Invoice from Staples Inc., Ref. 09123456, Urgent Notice" leads to Teslacrypt

This fake financial spam is not from Staples or Realty Solutions but is instead a simple forgery with a malicious attachment.

From:    Virgilio Bradley
Date:    16 December 2015 at 14:37
Subject:    Unpaid Invoice from Staples Inc., Ref. 09846839, Urgent Notice

Dear Valued Customer,

This letter is a formal notice to you taking in consideration the fact that you are obligated to repay our company the sum of $767,90 which was advanced to you from our company on November 21st, 2015.
You now have two options: forward your payment to our office by January 17, 2016 or become a party in a legal action. Please be advised that a judgment against you will also damage your credit record.

Please acknowledge the receipt of the invoice attached and the e-mail, no later than December 31, 2015.


Regards,
Virgilio Bradley
Customer Service Department
Realty Solutions
182 Shobe Lane
Denver, CO 80216

The names, amounts and reference numbers change from email to email. The attachment has the same name of the reference (e.g. invoice_09846839_copy.doc) but despite this I have only seen one version with a VirusTotal detection rate of just 1/55.

According to this Malwr report, the macro in the document downloads a binary from:

iamthewinnerhere.com/97.exe

This appears to be Teslacrypt ransomware and it has a detection rate of 5/53. Unlike some other malware, the domain iamthewinnerhere.com has been registered specifically to host this malware, and is located on:

185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
84.200.69.60 (Ideal-Hosting UG, Germany)


Nameservers are DNS1.SAYMYLANDGOODBYE.IN and DNS2.SAYMYLANDGOODBYE.IN. Other suspect sites on these IPs are:

dns2.auth-mail.ru
metiztransport.ru
remarkablyxj.top
sufficientbe.top
domainsgmwills.top
dns2.mikymaus.in
dns2.dlhosting.in
dns2.donaldducks.in
dns2.saymylandgoodbye.in
dns1.gogodns.ru
dns2.gogodns.ru
gammus.com
testsfds.com
waschmaschinen.testsfds.com
miracleworld1.com
ifyougowegotoo.com
hellofromjamaica.com
www.hellofromjamaica.com
firstwetakemanhat.com
thewelltakeberlin.com
mixer.testsg.net
abfalleimer.testsg.net
buegeleisen.testsg.net
bodenwischer.testsg.net
wasserfilter.testsg.net
kuechenmaschinen.testsg.net
testzd.net
staubsauger.testzd.net
waschtrockner.testzd.net
kaffeevollautomat.testzd.net
izfrynscrek.net
ftp.lazur.info
aspirateurs.lazur.info

According to this Malwr report, it then phones back to these legitimate but hacked domains:

sofiehughesphotography.com
magaz.mdoy.pro
adamhughes.in
goedkoop-weekendjeweg.net
hotbizlist.com
coatesarchitecture.com

MD5s:
3999736909019a7e305bc435eb4168fd
8f4bd99c810d517fb2d2b89280759862

Recommended minimum blocklist:
iamthewinnerhere.com
185.69.152.145
84.200.69.60



Malware spam: "Invoice No. 22696240" / "Sharon Samuels" [sharons463@brunel-promotions.co.uk]

This fake financial email does not come from Brunel Promotions but is instead a simple forgery with a malicious attachment.

From     "Sharon Samuels" [sharons463@brunel-promotions.co.uk]
Date     Wed, 16 Dec 2015 14:46:12 +0300
Subject     Invoice No. 22696240

  Good morning

Please find attached your latest invoice, for your attention.

Please be advised that your goods have been despatched for delivery.

Regards

Sharon
--------------------------------------------
Calendars and Diaries of Bristol Limited
Hope Road
Bedminster

BRISTOL
Bristol
BS3 3NZ
United Kingdom
Tel:01179636161
Fax:01179664235
Various details in the message change, such as the invoice number. I have seen two attachments with detection rates of 4/55 [1] [2] which according to Malwr [3] [4] download a malicious binary from the following locations:

winnig.privat.t-online.de/98g654d/4567gh98.exe
printempsroumain.org/98g654d/4567gh98.exe


This executable has a detection rate of 3/52 and these automated analyses [1] [2] [3] [4] indicate network traffic to:

199.7.136.84 (Megawire, Canada)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)


The payload is the Dridex banking trojan, probably.

MD5s:
d73d599ef434d7edad4697543a3e8a2b
7bcf4a947a74866debbcdeae068541fe
1cf8d5ab33c7e9e603d87d482c1c865d


Recommended blocklist:
199.7.136.84
202.69.40.173
221.132.35.56



Malware spam: "Documentation: Your Order Ref: SGM249/013" / "Jonathan Carroll [Jonathan@john-s-shackleton.co.uk]"

This fake financial spam is not from John S. Shackleton (Sheffield) Ltd but is instead a simple forgery with a malicious attachment. It is the second spam in a day pretending to be from a steel company.

From     Jonathan Carroll [Jonathan@john-s-shackleton.co.uk]
Date     Wed, 16 Dec 2015 11:11:09 -0000
Subject     Documentation: Your Order Ref: SGM249/013

Your Order: SGM249/013
Our Order: 345522
Advice Note: 355187
Despatch Date: 22/12/15

Attachments:
s547369.DOC Shackleton Invoice Number 355187


John S. Shackleton (Sheffield) Ltd
4 Downgate Drive
Sheffield
S4 8BU

Tel: 0114 244 4767
Fax: 0114 242 5965

E-mail: sales@john-s-shackleton.co.uk
Web: www.johnsshackleton.co.uk

Phone us for a free stock brochure.

Our product range includes: Beams, Columns, Pfc's, Channels, Flats, Rounds, Squares,
Angles, Tees, Convex, ERW Tubes, Hollow Section, Cold Reduced Sheet, Hot Rolled Sheet
Galvanised Sheet, Zintec Sheet, Floorplate, Open Mesh Flooring, Handrail Standards,
Tube, Tubeclamps. Welded Mesh, Expanded Metal, Perforated Sheet, U Edging, Fencing
and Bright Bar.

IMPORTANT NOTE

Our Terms and Conditions of Sale apply to all quotations and the supply of all goods.
Copies of our Terms and Conditions of Sale are available on request or can be found
on our website www.johnsshackleton.co.uk . These
Terms and Conditions include a provision (see term 12) that title to goods supplied
shall not pass to a customer until payment is received by us in full for all goods
supplied. We only accept orders for the supply of goods on the basis our Terms and
Conditions of Sale apply.

I have only seen a single sample of this spam, with an attachment s547369.DOC which has a VirusTotal detection rate of 4/55. According to this Malwr Report it downloads a malicious binary from:

bbbfilms.com/98g654d/4567gh98.exe

This binary has a detection rate of 4/53 and is the same payload as found in this spam run, leading to the Dridex banking trojan.

Malware spam: "Your e-Invoice(s) from Barrett Steel Services Ltd" / "samantha.morgan@barrettsteel.com"

This fake financial spam does not come from Barrett Steel Services Ltd but is instead a simple forgery with a malicious attachment:

From:    samantha.morgan@barrettsteel.com
Date:    16 December 2015 at 09:44
Subject:    Your e-Invoice(s) from Barrett Steel Services Ltd

Dear Customer,

Please find attached your latest Invoice(s).

Kind Regards,
Samantha Morgan,
Barrett Steel Services Ltd,

Phone: 01274654248
Email: samantha.morgan@barrettsteel.com


PS
Have you considered paying by BACS ?  Our details can be found on the attached invoice.

Please reply to this email if you have any queries.


You can use the link below to perform an Experian credit check.

http://www.experian.co.uk/business-check/landing-page/barrett-steel.html?utm_source=BarrettSteel&utm_medium=Banner&utm_campaign=BusinessCheckBS

Samantha Morgan
Credit Controller

Tel: 01274 654248 |  | Fax: 01274 654253
Email: Samantha.Morgan@Barrettsteel.com | Web: www.barrettsteel.com


------------------------------------------------------------------------------
IMPORTANT NOTICE

The information contained in or attached to this e-mail is intended for the use of the individual or entity to which it is addressed. It may contain information which is confidential and/or covered by legal, professional or other privilege (or other similar rules or laws). If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it.  Nor should you take any action with reference to it. If you have received this communication in error, please return it with the title "received in error" to Barrett.Admin@Barrettsteel.com then delete the email and destroy any copies of it.

This email has been scanned for viruses, but no responsibility is accepted once this communication has been transmitted. You should scan attachments (if any) for viruses.

Registered Office:
Barrett House, Cutler Heights Lane, Dudley Hill, Bradford, BD4 9HU

This message has been scanned by iCritical.

Attached is a file e-Invoice Barrett Steel Services Ltd.doc which I have seen just a single variant of, with a VirusTotal detection rate of 4/54 which according to this Malwr analysis downloads a malicious binary from the following location:

wattplus.net/98g654d/4567gh98.exe

This downloaded binary has a detection rate of 4/53 and according to this Malwr report it attempts to contact:

199.7.136.84 (Megawire, Canada)

I strongly recommend that you block traffic to that IP. Other analysis is pending. The payload is almost definitely the Dridex banking trojan.

Domain registration scan: cn-registry.net / "Huabao Ltd"

This type of Chinese domain registration scam has been around for years.

From:    Jim Gong [jim.gong@cnregistry.net]
Date:    15 December 2015 at 13:40
Subject:    "petroldirect"

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.

We received an application from Huabao Ltd on December 14, 2015. They want to register " petroldirect " as their Internet Keyword and " petroldirect .cn "、" petroldirect .com.cn " 、" petroldirect .net.cn "、" petroldirect .org.cn " 、" petroldirect .asia " domain names etc.., they are in China and Asia domain names. But after checking it, we find " petroldirect " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

 
Best Regards,
  Jim
General Manager 
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Shanghai, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cn-registry.net
In fact, there is no Huabao Ltd - it's just a made-up name that the scammers use to try to persuade you into buying some overpriced and worthless domains. Nobody is interested in buying these domains, and no domain registrar would contact you before registration in any case as it is not the responsibility of registrar to do so*.

I certainly don't recommend forwarding this to your CEO, as many CEOs will not understand the scam and may fall for it. If you do forward it, make you that you point out that this is a scam.

This scam has been around for so long, that I even made a video about it..


These following domains are all variations of the same rogue Chinese registrar:

cnregistry.net
cn-registry.net
cnwebregistry.net
cn-registry.com
cnweb-registry.com
cnwebregistry.com
cnwebregistry.org
cnweb-registry.org
cnregistry.com.cn
cn-registry.org.cn
cnweb.org.cn
webregistry.org.cn


* except in specific and limited circumstances (e.g sunrise applications) that do not apply here.


Tuesday, 15 December 2015

Malware spam: "Rockspring Remittance Advice - WIRE"

This fake financial spam comes with a malicious attachment:

From:    Kristina Salinas
Date:    15 December 2015 at 14:59
Subject:    Rockspring Remittance Advice - WIRE

Dear Customer,

Please find attached your Remittance Details for the funds that will be deposited to your bank account on December 15th.

Rockspring Capital is now sending through the bank the addenda information including your remit information.

If you are not seeing your addenda information in your bank reporting you may have to contact your local bank representative.

Accounts Payable
Attached is a malicious document with a random name. I have only seen one sample so far with a VirusTotal detection rate of 3/55. The Malwr report indicates that same behaviour as this earlier spam run  which is dropping Nymaim ransomware.

Tainted network: Dmitry Shestakov / vds24.net on OVH

vds24.net (apparently belonging to "Dmitry Shestakov ") is a Russian reseller of OVH servers that has come up on my radar a few times in the past few days [1] [2] [3] in connection with domains supporting Teslacrypt malware and acting as landing pages for the Angler exploit kit.

Curious as to what was hosted on the vds24.net I set about trying to find out their IP address ranges. This proved to be somewhat difficult as they are spread in little chunks throughout OVH's IP space. I managed to identify:

5.135.58.216/29
5.135.254.224/29

51.254.10.128/29
51.254.162.80/30

51.255.131.64/30
149.202.234.116/30
149.202.234.144/30
149.202.234.188/30

149.202.237.68/30
176.31.24.28/30
178.32.95.152/29
178.33.200.128/26


Then using a reverse DNS function, I looked up all the domains associated with those ranges (there were a LOT) and then looked the see which were active plus their SURBL and Google ratings. You can see the results of the analysis here [csv].

There may well be legitimate domains in this range, but out of 1658 domains identified, 1287 (77.6%) are flagged by SURBL as being spammy. Only 11 (0.7%) are identified as malicious, but in reality I believe this to be much higher.

In particular, the following IP ranges seem to be clearly bad from those ratings:

51.254.10.131
51.254.162.81
51.255.131.66
51.255.142.101
149.202.234.190
149.202.237.68
178.33.200.138

I can see 61 active IPs in the vds24.net range, so perhaps it is only a small proportion. However, depending on your network stance, you may want to consider blocking all the IP ranges specified above just to be on the safe side.

UPDATE

One additional range has come to light, connected with the Dridex banking trojan:

51.254.51.176/30



Malware spam: "Invoice Attached" / "Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp."

This fake financial spam has a malicious attachment:

From:    Ernestine Harvey
Date:    15 December 2015 at 11:34
Subject:    Invoice Attached

Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.

Thank you!

Mr. Ernestine Harvey
Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp.
The sender name varies randomly, except in the email they are all signed "Mr." even if they have female names, for example:

Mr. Colleen Sheppard
Mr. Joel Small
Mr. Esther Gates
Mr. Devin Joyce
Mr. Todd Robertson

The attachments are named in the format invoice_12345678_scan.doc - the filenames are randomly-generated and indeed every attachment seems to be unique. Typical VirusTotal detection rates are around 3/54, and the macro looks something like this.

An analysis of five of the attachments [1] [2] [3] [4] [5] shows attempted downloads from:

modern7technologiesx0.tk/x1656/dfiubgh5.exe
forbiddentextmate58.tk/x1656/ctruiovy.exe
temporary777winner777.tk/x1656/fdgbh44b.exe
former12futuristik888.tk/x1656/fdgjbhis75.exe


Note that these are all .TK domains.. and they are all hosted on exactly the same server of 31.184.234.5 (GTO Ltd, Montenegro). A look at VirusTotal's report for that IP gives another malicious domain of:

servicexmonitoring899.tk

I would suggest that the entire 31.184.234.0/24 range looks pretty questionable.

Anyway, the downloaded binary has a VirusTotal detection rate of 4/55 and the comments indicate that rather surprisingly this is the Nymaim ransomware. The Hybrid Analysis indicates network traffic to xnkhfbc.in on 200.195.138.156 (Szabo & Buhnemann, Brazil). But in fact that domain seems to move around a lot and has recently been seen on the following IPs:

41.224.12.178 (Orange Tunisie Internet, Tunisia)
51.255.59.248 (OVH, France)
78.107.46.8 (Corbina Telecom, Russia)
95.173.163.211 (Netinternet, Turkey)
118.102.239.53 (Dishnet, India)
140.116.161.33 (TANET, Taiwan)
185.114.22.214 (Osbil Technology Ltd., Turkey)
192.200.220.42 (Global Frag Networks, US)
200.195.138.156 (Szabo & Buhnemann Ltda, Brazil)
210.150.126.225 (HOSTING-NET, Japan)


There are a bunch of bad domains associated with this malware but the only other one that seems to be active is oxrdmfdis.in.

MD5s:
4CADF61E96C2D62292320C556FD34FE6
BBAAAB1245D7EDD40EE501233162110E
6B6C7430D33FE16FAE94162D61AF35DD
79A10791B1690A22AB4D098B9725C5E0
D148440E07434E4823524A03DE3EB12F
79A10791B1690A22AB4D098B9725C5E0
B41205F6AEEEB1AA1FD8E0DCBDDF270E



Recommended blocklist:
31.184.234.5
41.224.12.178
51.255.59.248
78.107.46.8
95.173.163.211
118.102.239.53
140.116.161.33
185.114.22.214
192.200.220.42
200.195.138.156
210.150.126.225
xnkhfbc.in
oxrdmfdis.in


UPDATE

A source tells me (thank you) that  servicexmonitoring899.tk  is now resolving to 78.129.252.19 (iomart, UK) that has also recently hosted these following domains:

google-apsm.in
specre.com
ganduxerdesign.com
www.ganduxerdesign.com
upmisterfliremsnk.net
tornishineynarkkek.org
tornishineynarkkek2.org

Some of these domains are associated with Rovnix.

Malware spam: "Invoice for Voucher ACH-2-197701-35" / "Reservations [res@affordablecarhire.com]"

This fake financial spam does not come from Affordable Car Hire but is instead a simple forgery with a malicious attachment.

From:    Reservations [res@affordablecarhire.com]
Date:    15 December 2015 at 11:50
Subject:    Invoice for Voucher ACH-2-197701-35


Affordable Car Hire
     
Payment Link For BookingACH-2-197701-35
 
 
Please find attached your invoice for reservation number ACH-2-197701-35
 

 
This email was sent on 14/12/2015 at 16:25
 



ACH-2-197701-35-invoice.xls
116K

I have only seen a single sample, with an attachment ACH-2-197701-35-invoice.xls which has a VirusTotal detection rate of 3/54. According to this Malwr report, it downloads a malicious binary from:

usahamanfaat.com/8iy45323f/i87645y3t23.exe

The payload here is the Dridex banking trojan, and it is identical to the one found in this spam run.

Malware spam: "Order PS007XX20000584" / "Nicola Hogg [NHogg@pettywood.co.uk]"

This rather brief spam does not come from Petty Wood but is instead a simple forgery with a malicious attachment:
From:    Nicola Hogg [NHogg@pettywood.co.uk]
Date:    15 December 2015 at 10:14
Subject:    Order PS007XX20000584
There is no body text, but instead there is an attachment PS007XX20000584 - Confirmation with Photos.DOC which has a VirusTotal detection rate of 5/55 and it contains a malicious macro [pastebin] which (according to this Malwr report) downloads a binary from:

kutschfahrten-friesenexpress.de/8iy45323f/i87645y3t23.exe

There are probably other version of the document with different download locations. This malicious executable has a detection rate of 2/54 and between them these three reports [1] [2] [3] indicate malicious traffic to:

199.7.136.84 (Megawire Inc, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)


The payload here is likely to be the Dridex banking trojan.

MD5s:
8b288305733214f8e0d95386d886af2d
f9c00d3db5fa6cd33bc3cd5a08766ad0


Recommended blocklist:
199.7.136.84
221.132.35.56

Malware spam: "Reference Number #89044096, Notice of Unpaid Invoice" leads to Teslacrypt

This fake financial spam comes with a malicious attachment.

From:    Carol Mcgowan
Date:    15 December 2015 at 09:09
Subject:    Reference Number #89044096, Notice of Unpaid Invoice

Dear Valued Customer,

It seems that your account has a past due balance of $263,49. Previous attempts to collect the outstanding amount have failed.

Please remit $263,49 from invoice #89044096 within three days or your account will be closed, any outstanding orders will be cancelled and this matter will be referred to a collection agency.

The payment notice is enclosed to the letter down below.

Attached is a file invoice_89044096_scan.doc which has a VirusTotal detection rate of 2/54, and which contains this malicious macro [pastebin] which attempts to download a binary from the following location:

thewelltakeberlin.com/92.exe 

This domain was registered only today, and at the moment is not resolving properly. The payload here is likely to be Teslacrypt.

The WHOIS details for it are:

Registrant Name: Quinciano Huerta
Registrant Organization: Quinciano Huerta
Registrant Street: Vila Fonteles 163  
Registrant City: Fortaleza
Registrant State/Province: CE
Registrant Postal Code: 60741-080
Registrant Country: BR
Registrant Phone: +55.8568257712
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: wexel@thewelltakeberlin.com


Nameservers are dns1.saymylandgoodbye.in and dns2.saymylandgoodbye.in hosted on 5.178.71.5 (Serverius, Netherlands) and 83.69.233.102 (Awax Telecom, Russia)

Those two IPs host or have recently hosted the following potentially malicious domains:

buildites.com
dauth-mail.ru
ddonaldducks.in
directly-success.com
dmikymaus.in
dsaymylandgoodbye.in
dsoftextrain644.com
gammus.com
hackeroff.net
kalamarkesof.org
linuxczar.com
metiztransport.ru
miracleworld1.com
obamalox.com
outreel.ru
pro100now.ru
rapdacity.ru
remarkablyxj.top
staringpartnerk.com
sufficientbe.top
superiorityci.top
trillionstudio.com
vmark.su
workcccbiz.in

Recommended minimum blocklist:
thewelltakeberlin.com
83.69.233.102
5.178.71.5

UPDATE
There is a good analysis of this malware at TechHelpList including the C2 domains involved.