Sponsored by..

Wednesday, 6 January 2016

Malware spam: "Invoice for IA20114520"

This fake financial spam comes with a malicious attachment. The sender's name, reference numbers and attachment names vary. It seems to be closely related to this spam run.

From:    Viola Carrillo
Date:    6 January 2016 at 09:53
Subject:    Invoice for IA20114520

To Whom It May Concern,

Please find attached an invoice relating to Penalty Charge Notice Number IA20114520 along with a copy of the contravention.

In order to prevent this fine from escalating further we have paid this fine on your behalf. Should you have any queries concerning these charges please don’t hesitate to contact me.

Payment for this invoice will be taken by Direct Debit 9 working days from the date of this email.

Please refer to page 2, point 3.6 in your Terms and Conditions for information on Traffic Offences.
I have seen two variants of the attachment (VirusTotal results [1] [2]) and these two Malwr reports [3] [4] indicate identical characteristics to the payload in this spam run which is also being sent out today.

Malware spam "Invoice-205611-49934798-CROSSHILL SF"

This fake financial spam has a malicious attachment. The sender's names, reference numbers and attachment names vary. Here is one example:
From:    Bertha Sherman
Date:    6 January 2016 at 09:29
Subject:    Invoice-205611-49934798-CROSSHILL SF

Dear Customer,

Please find attached Invoice 02276770 for your attention.

Should you have any Invoice related queries please do not hesitate to
contact either your designated Credit Controller or the Main Credit Dept. on
01635 279370.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Credit Dept'
I have seen at least four different attachments with names in a format similar to invoice40201976.doc (VirusTotal results [1] [2] [3] [4]). These Malwr reports [5] [6] [7] [8] show that the malware contained within POSTs to:

37.46.130.53/jasmin/authentication.php
179.60.144.21/jasmin/authentication.php
195.191.25.138/jasmin/authentication.php

Those reports also show communication to other suspect IPs, giving:

94.158.214.45 (Noviton Ltd , Russia)
78.47.119.93 (Hetzner, Germany)
2.61.168.116 (Sibirtelecom, Russia)
37.46.130.53 (JSC Server, Russia)
179.60.144.21 (Veraton Projects Ltd, Netherlands)
195.191.25.138 (Hostpro Ltd, Ukraine)


This Hybrid Analysis also shows similar characteristics.

The macro drops a file tsx3.exe with a detection rate of 7/55. The Malwr report doesn't give any particlar insight as to what this is, but it is likely to be a banking trojan or ransomware. UPDATE: this is Dridex (botnet 120 apparently), and thos the dropped file has been updated to this one.

There are two other similar spam campaigns at the same time [1] [2], one of which POSTs to a McHost.RU IP in Russia:

109.234.34.224/jasmin/authentication.php

MD5s (dropped EXE):
fdd95b4cc10b536934486c7d3fdee04f
613f5e4139e8006e9d47cb562450bc4a


MD5s (attachments):
06afdf7eaa3aa0d07b74c87c2c4bcede
11efa97e6091fa608596b463c9a20718
1574669aae13badc47b5c32927d22fb9
1988f8c864689bfd725e659e0815f032
27f891f6b0c0820492408022a860accc
37cc9d15f4eb5173e30ebff8ae6d44f6
37dd4e12541994d719d669ef7408b042
41faea2d8d7334a1e645cedf2a297344
42694176858ef65ababe87c8eee3679d
430eb4d6bc75b3743169aba0b5c368b9
5a5e5ac6d0e12215d79d2d321ac7a303
60cb6167675a908e9bba8957ece0947b
63abdef9d973b820f656642831ef6e07
7d190049c2354c18bd850d086d8c43c8
81697ef360e4abd09d96cd58bb1c7f01
82e06ae650e81e77879c5a33dba058b6
840b0d424b541d3649c33e8264632ba7
933f50bd87c02b67e122520022677aa6
a17b2fc61c64381ba5a2a154085ee6e7
a1958f55febde3b0fac15490f5e0ac6e
a43490f4c09e519d72296898343ab04f
ab41e3d7fa1e3d98a0bdec1e4086058a
b614c2f6f07620e53375c35efc692596
bc3142ce5e20814e98e582fa9b258501
cda4ba15eebc6ae3a9ab54610b38db04
d44c6490ab1c86adf9a99da1d173fc2f
d86f5160a0ea91bee70972e2bbf2c86d
e8bd65668d68410adacee9463eb1489e
ee70b032f96fb8f484019396aa130a55
ef4fd29b806675346661aec4907a14f7
f39fcd49bdbd7f100047594d8d7875b4
f65d8b3310f758c5d9c0f156d859125f
ff5f8da0f0d4c7e851dbf5c6d94fa0dc

Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138

109.234.34.224


Monday, 4 January 2016

Evil network: 199.195.196.176/29 / Roman Alyabiev

199.195.196.176/29 is a small bunch of IPs hosting browser hijacker sites, belonging to Hosting Services, Inc. in Utah and suballocated to a customer.

Several domains are flagged by Google as leading to PUAs or malware [1] [2] [3] [4] [5] [6], and almost all those domains also have anonymous registrations.

However, the domain goforfiles.com does not have anonymous registration, and those details are:
Registry Registrant ID:
Registrant Name: Roman Alyabiev
Registrant Organization: Righway Technologies, Inc.
Registrant Street: 1740 H Dell Range Blvd #281
Registrant City: Cheyenne
Registrant State/Province:
Registrant Postal Code: 82009
Registrant Country: US
Registrant Phone: +1.3074590153
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: contact@goforfiles.com
Registry Admin ID: 
There is no such company as "Righway Technologies, Inc" but the name Roman Alyabiev matches the records for the IP block:
network:Network-Name:Dedicated Server
network:IP-Network:199.195.196.176/29
network:IP-Network-Block:199.195.196.176 - 199.195.196.183
network:Org-Name:Alyabiev, Roman
network:Street-Address:pr. Molodeznoi 7 kv. 101
network:City:Kemerovo
network:State:
network:Postal-Code:650044
network:Country-Code:RU
A full list of sites currently or recently hosted in this block can be found here. The domains in use for browser hijacking are:

bestfiledownload.biz
dailyfiledownload.biz
down4load.biz
down-loader.biz
esurf.biz
fansfile.biz
filedatabase.biz
gofor-files.biz
go-for-files.biz
interarchive.biz
loadarchive.biz
lucky-tab.biz
retailfile.biz
sprintload.biz
usedfile.biz
worldfiledownload.biz
yourfiledownloader.biz
archievedownload.com
down4loader.com
downweb-loader.com
express-downloader.com
express-files.com
failsmail.com
filearchieve.com
foryourwebs.com
goforfiles.com
go-for-files.com
houmpage.com
realdown4load.com
safesurfs.com
simple-files.com
smile-file.com
smile-files.com
webdown-loader.com
yfdownloader.com
yorfiled.com
yourfdownloader.com
yourfiledl.com
yourfiledownloader.com
yourfile-downloader.com
yourwebing.com
archievedownload.net
down4loading.net
down4loadist.net
foryourweb.net
goforfiles.net
gofor-files.net
lucky-tab.net
thefailsmail.net
yfdownloader.net
yourfaild.net
yourfdownloader.net
yourfiledownloader.net
yourfile-downloader.net
your-home-page.net
yourwebing.net
goforfiles.org
lucky-browse.org
yourfiledownloader.org

Blocking 199.195.196.176/29 or monitoring traffic to it might detect infected hosts, that appear to have a bunch of per-per-install crapware and other stuff installed.

Wednesday, 23 December 2015

Malware spam: "Christmas Industrial Decorating invoice-50473367)"

This fake invoice has a malicious attachment:

From:    Rachael Murphy
Date:    23 December 2015 at 13:05
Subject:    Christmas Industrial Decorating invoice-50473367)

Good afternoon,

Please find attached 1 invoice for processing.

Regards and Merry Christmas!

Rachael Murphy
Financial Manager

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.

The sender's name and reference number varies, the attachment is in the format invoice45634499.doc and it comes in at least three different versions (VirusTotal results [1] [2] [3]).

Analysis is pending, the payload is likely to be the Dridex banking trojan.

The payload appears to be the same as the one found in this spam run

Malware spam: "UKSM Invoice 70146427" / "uksafetymanagement.co.uk"

This fake financial spam comes with a malicious attachment. It does not come from uksafetymanagement.co.uk but is instead a simple forgery.
From:    Claire Carey
Date:    23 December 2015 at 12:01
Subject:    UKSM Invoice 70146427

Good time of day,

Thank you for choosing UK Safety Management Ltd. to carry out your Portable Appliance Testing.

Please find enclosed your invoice.

Claire Carey
www.uksafetymanagement.co.uk
The sender's name and reference number are randomly generated. Attached is a file in the format invoice29111658.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]).

Analysis of the documents is pending. However, this is likely to be the Dridex banking trojan.

The payload appears to be the same as the one found in this spam run.



Malware spam: "FW: Meridian (Acc. No. 51588088) - Professional Fee Invoice"

This fake financial spam comes with a malicious attachment. The sender's name and reference number is randomly generated.

From:    Josie Ruiz
Date:    23 December 2015 at 11:38
Subject:    FW: Meridian (Acc. No. 51588088) - Professional Fee Invoice

Dear Sir/Madam,

Re:  Meridian Professional Fees

Please find attached our fee note for services provided, which we trust meets with your approval.

Payment should be made to Meridian International VAT Consulting Ltd. within the agreed payment terms.

We look forward to your remittance in due course.

Yours sincerely
Josie Ruiz
Financial CEO

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
The information in this email and any attachments are the property ofALTAVIA or its affiliates and may contain proprietary and confidential information that is intended for the addressee(s) only. If you are not the intended recipient, please refrain from any disclosure, copying, distribution, retention or use of this information. You are hereby notified that such actions are prohibited and could be illegal. If you have received this e-mail in error, please immediately contact the sender and delete the e-mail. We appreciate your cooperation. Email transmissions being not guaranteed, ALTAVIA and its affiliates decline their liability due to this email transmission, specifically when altered, modified or falsified.
Les informations contenues dans cet e-mail ainsi que les fichiers joints sont la propriété d’ALTAVIA et / ou ses filiales et peuvent être des informations confidentielles et privées qui sont adressées à l’attention de leur destinataire uniquement. Si vous n’êtes pas le destinataire du message  merci de ne pas divulguer, copier, diffuser, conserver ou utiliser ces informations. Vous êtes par la présente notifié que ces agissements sont interdits et peuvent être illégaux. Si vous avez reçu cet e-mail par erreur, merci de prendre contact immédiatement avec l’expéditeur et de détruire cet e-mail. Nous vous remercions de votre coopération. La correspondance en ligne n’étant pas un moyen entièrement sécurisé, ALTAVIA et ses filiales déclinent toute responsabilité au titre de cette transmission, notamment si son contenu a été altéré, déformé ou falsifié.
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

The attachment has the same reference number as the subject, and there are at least five different versions (VirusTotal results [1] [2] [3] [4] [5]).

Analysis of the documents is pending, but this is likely to be the Dridex banking trojan.

UPDATE 1

Hybrid Analysis of some of the samples [1] [2] shows some download locations:

146.120.89.92/volkswagen/bettle.php
109.234.34.164/volkswagen/bettle.php


Those IPs belong to:

146.120.89.92 (Ukrainian Internet Names Center LTD, Ukraine)
109.234.34.164 (McHost.Ru Inc, Russia)


This is actually an executable with a detection rate of 4/53. The purpose of this executable is unknown, but it is certainly malicious. Analysis is still pending.

UPDATE 2

This Threat Expert report and this Hybrid Analysis both report traffic to a presumably hacked server at:

104.131.59.185 (Digital Ocean, US)

Recommended blocklist:
104.131.59.185
146.120.89.92
109.234.34.164

Tuesday, 22 December 2015

Malware spam: "CWIH8974 PAYMENT RECEIVED" / "Avril Sparrowhawk [Avril.Sparrowhawk@lescaves.co.uk]"

This fake financial spam does not come from Les Caves de Pyrene but is instead a simple forgery with a malicious attachment.

From:    Avril Sparrowhawk [Avril.Sparrowhawk@lescaves.co.uk]
Date:    22 December 2015 at 11:14
Subject:    CWIH8974 PAYMENT RECEIVED
 
Good afternoon

Thanks very much for your payment we recently from you, however there was a missed invoice.  Can you just confirm this will be included in the next payment run, or whether there were any queries with this particular invoice?

I have attached the invoice for your reference.

Kind regards
Avril

Avril Sparrowhawk
Credit Controller
Les Caves De Pyrene
Pew Corner
Old Portsmouth Road
Artington
Guildford
GU3 1LP

' +44 (0)1483 554784
6 +44  (0)1483 455068
Email Signature





CWIH8974.doc
92K

Attached is a malicious document CWIH8974.doc of which I have seen just a single sample with a VirusTotal detection rate of 2/54. There may be other variations of the document, but in this case it downloads a malicious binary from:

secure.novatronica.com/786h8yh/87t5fv.exe

This has a VirusTotal detection rate of 2/53 and is the same payload as found in this earlier spam run, leading to the Dridex banking trojan.


Malware spam: "British Gas - A/c No. 602131633 - New Account" / trinity [trinity@topsource.co.uk]

This fake financial email is not from TopSource, Trinity Restaurants or British Gas (the email seems a bit confused), but is instead a simple forgery with a malicious attachment.

From:    trinity [trinity@topsource.co.uk]
Date:    22 December 2015 at 10:36
Subject:    British Gas - A/c No. 602131633 - New Account

Hi ,

Please refer to the attached invoice from British Gas, the account number on it is different from all the account numbers that we currently have in the system. Can you confirm if this is a new account so that we will create this in system.

Thanks & Regards,
Pallavi Parvatkar

Trinity Restaurants Accounts Team | TopSource Global Solutions | 020 3002 6203
4th Floor | Marlborough House | 10 Earlham Street | London WC2H 9LN | www.topsource.co.uk
    cid:image001.jpg@01D071F6.5F7DAE30                                                               cid:image002.jpg@01D071F6.5F7DAE30
 
cid:image003.png@01D071F6.5F7DAE30     cid:image004.png@01D071F6.5F7DAE30     cid:image005.png@01D071F6.5F7DAE30    cid:image006.png@01D071F6.5F7DAE30    cid:image007.png@01D071F6.5F7DAE30                                                       cid:image003.png@01D071F6.5F7DAE30     cid:image004.png@01D071F6.5F7DAE30    cid:image005.png@01D071F6.5F7DAE30    cid:image008.png@01D071F6.5F7DAE30    cid:image006.png@01D071F6.5F7DAE30    cid:image009.png@01D071F6.5F7DAE30


Disclaimer:
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system.

Internet communications cannot be guaranteed to be timely, secure, error or virus-free. TopSource does not accept liability for any errors or omissions.

"SAVE PAPER - THINK BEFORE YOU PRINT!"




British Gas.doc
92K

Attached is a file British Gas.doc with an MD5 a VirusTotal detection rate of 2/54. Analysis of the document is pending, however it will most likely drop the Dridex banking trojan.

UPDATE

These automated analyses [1] [2] show that the malicious document downloads from:

weddingme.net/786h8yh/87t5fv.exe

This has a VirusTotal detection rate of 3/54.  All those reports indicate malicious traffic to:

199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)


The payload looks like Dridex.

MD5s:
cacb79e05cf54490a7067aa1544083fa
c8694f1573a01b8b2cb7b1b502eb9372

Recommended blocklist:
199.7.136.88
151.80.142.33


Monday, 21 December 2015

Malware spam: "INVOICE" / "Brenda Howcroft [accounts@swaledalefoods.co.uk]"

This fake financial spam does not come from Swaledale Foods but is instead a simple forgery with a malicious attachment.

From:    Brenda Howcroft [accounts@swaledalefoods.co.uk]
Date:    21 December 2015 at 10:46
Subject:    INVOICE

Your report is attached in DOC format. To load the report, you will need the free Microsoft® Word® reader, available to download at http://www.microsoft.com/


Many thanks,

Brenda Howcroft
Office Manager

t 01756 793335 sales
t 01756 790160 accounts


cid:377F41D9-BDEF-4E30-A110-21CFAAA1D908@home


This email transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient or have received this e-mail in error please delete it immediately and notify the sender, Any disclosure including copying or distribution of the information contained herein is strictly prohibited. Any opinions, instructions or advice contained in this email may not necessarily be those of the company. Although this email and any attachments are believed to be free of any virus or other defects, which might affect any computer or system it is the responsibility of the recipient to ensure they are virus free. E&OE.


Invoice 14702.doc
83K

Attached is a file Invoice 14702.doc which comes in at least 9 different versions (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8] [9]). I haven't had the chance to analyse them, but my sources say that at least some versions download from the following locations:

110.164.184.28/jh45wf/98i76u6h.exe
getmooresuccess.com/jh45wf/98i76u6h.exe
rahayu-homespa.com/jh45wf/98i76u6h.exe

This dropped file has a detection rate of 6/54. The Hybrid Analysis report plus some other sources indicate network traffic to:

199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)


The payload is the Dridex banking trojan.

MD5s:
6932A004CE3AD1AD5EA30F43A31B0285
49CF8C70BC4E94F6887ED0CBC426F08C
92B1F1B4BBD864411FA75C951D28EC5D
E4CB705754C93645D3F86F8AF9307769
D409889F92DA9B8D855C0037894A46CC
87CA159B9AEB127F698D2AA28A5BAAC5
C770760C66298301D1BE29E85ECBE971
F2FF5FCE2836025E97691937D6DF579E
6617EAB5B4DD17247DFF1819CA444674
EE57F929672651C1AE238EB7C7A0D734


Recommended blocklist:
199.7.136.88
151.80.142.33
202.69.40.173
78.47.66.169

Thursday, 17 December 2015

Malware spam: "Your new PHS documents are attached" / "PHSOnline [documents@phsonline.co.uk]"

This convincing-looking fake financial email does not come from PHS, but is instead a simple forgery with a a malicious attachment:

From:    PHSOnline [documents@phsonline.co.uk]
Date:    17 December 2015 at 11:48
Subject:    Your new PHS documents are attached



 
 
 
Delivery of new PHS document(s)
 
 
Dear Customer
 
Due to a temporary issue with delivering your document(s) via your online account, please find the attached in DOC format for your convenience.
 
We apologize for you being unable to view your accounts and documents online in the usual manner. Please note that, in the interim, we will continue to deliver documents in this manner until the issue is fully resolved.
 
Regards
 
PHS Group
 
To ensure that you continue receiving our emails, please add documents@phsonline.co.uk to your address book or safe list.
 
 
Contact us
Connect with PHS: Twitter   Facebook
 
 
This email was sent by Personnel Hygiene Services Limited - a member of the PHS Group. This company is registered in England & Wales to the address: PHS Group, Block B, Western Ind Estate, Caerphilly CF83 1XH. Company Reg No: 05384799 VAT No: GB542951438
PHS Logo
 



G-A0287580036267754265.xls
70K

Effectively, this is a re-run of this spam from October.

I have only seen a single sample of this. There is a malicious Excel document attached, G-A0287580036267754265.xls with a VirusTotal detection rate of 4/54. According to the Malwr report this attempts to download a binary from:

infosystems-gmbh.de/65dfg77/kmn653.exe

At present, this download location 404s but other versions of the document will probably have different download locations.  The payload is the Dridex banking trojan, as seen several times today [1] [2] [3] [4].

Malware spam: "Required your attention" leads to Teslacrypt

This spam email has a malicious attachment:

From:    Brittany Quinn
Date:    17 December 2015 at 10:52
Subject:    Required your attention

Dear Partner,

As per your request, we have made special prices for you, which leave us only a very small margin.

Kindly find attached the prices with your personal discount, and if you need anything else, don’t hesitate to contact us.

Our best wishes, The sales team
The sender's name varies from email to email, as does the name of the attachment but it in a format similar to SCAN_PRICES_01106759.zip. Contained within is a malicious obfuscated Javascript with a detection rate of 6/54 which is a bit clear when deobfuscated, and it downloads from:

whatdidyaysay.com/97.exe?1
iamthewinnerhere.com/97.exe?1

This has a detection rate of 3/53. Automated analysis is inconclusive [1] [2] but this is Teslacrypt and is likely to be similar in characteristics to this spam run.



Malware spam: "Your Latest Right Fuel Card Invoice is Attached" / "Right Fuel Card Company [invoice@rightfuelcard.co.uk]"

This fake financial email is not from Right Fuel Card Company but is instead a simple forgery with a malicious attachment.

From:    Right Fuel Card Company [invoice@rightfuelcard.co.uk]
Date:    17 December 2015 at 11:11
Subject:    Your Latest Right Fuel Card Invoice is Attached


Please find attached your latest invoice.

PLEASE ALSO NOTE OUR NEW OPENING HOURS ARE:
Monday - Thursday 9am - 5pm
Friday 9am - 3pm

For a copy of our latest Terms & Conditions please visit www.rightfuelcard.co.uk

Should you have any queries please do not hesitate to call us on 0845 625 0153 (Calls to this number cost 5 pence per minute plus your telephone company's access charge) or via email to info@rightfuelcard.co.uk.

Regards

Customer Services
The Right Fuelcard Company Limited

Attached is a file A01CardInv1318489.xls - at present I only have a single sample of this. VirusTotal is down at the moment so I cannot tell you the detection rate. The Malwr analysis shows behaviour consistent with several Dridex runs going on this morning, with a download from:

infosystems-gmbh.de/65dfg77/kmn653.exe

The payload is the Dridex banking trojan, and is identical to the payload here, here and here.


Malware spam: "Currys PC World [noreply_stores@currys.co.uk]" / "Your eReceipt"

This very convincing-looking email is not from Currys PC World but is instead a simple forgery with a malicious attachment.

From:    Currys PC World [noreply_stores@currys.co.uk]
Date:    17 December 2015 at 08:27
Subject:    Your eReceipt


Currys PC World
Thank you.
Thank you for your purchase from Currys PC World.
Your e-receipt is attached for your records.
We understand that sometimes products need to be returned. You can either return it to your nearest store or call 0344 561 1234 from the UK or 1890 400 001 from the Republic of Ireland to speak to our customer services team to discuss a refund or exchange. Please have your e-receipt number to hand to speed up the process.

Some email mobile apps don't always show attachments. If you can't see the attachment, simply forward this email to another email address to view and save.

Thank you once again from everyone at Currys PC World.
Terms and conditions
You are receiving this service email because you made a purchase from us and requested an electronic copy of your receipt. Please do not reply to this email. If you need to contact us you can do so at: customer.services@currys.co.uk
Currys is a trading name of DSG Retail Limited, Maylands Avenue, Hemel Hempstead, Hertfordshire HP2 7TG, registered in England No. 504877, VAT No. 226659933. © DSG Retail Ireland Ltd, Unit 9A, The Park, Carrickmines, Dublin 18, Ireland Incorporated in Ireland, a private company with issued shares. Registration Number 259460.



e-Receipt.doc
77K
There are a few different versions of the attachment with fairly low detection rates [1] [2] and analysis of those two examples shows that the macro downloads from the following locations:

old.durchgegorene-weine.de/65dfg77/kmn653.exe
www.riucreatives.com/65dfg77/kmn653.exe


The payload here is the Dridex banking trojan and is identical to the one found here and here.

Malware spam: "James Wheatley sent you an document file!" / wheatjam@gmail.com

Poor old James Wheatley is a real person who must have pissed off some Russians somewhere (perhaps it is a Joe Job). This fake WhatsApp spam in his name has a malicious attachment.

From:    James Wheatley [wheatjam@gmail.com]
Date:    17 December 2015 at 09:50
Subject:    James Wheatley sent you an document file!

---
---
Sent by WhatsApp
There seem to be a few variants of the attachment, these have a detection rate of about 4/55 [1] [2] and analysis of those two examples [3] [4] download a malicious binary from:

www.nz77.de/65dfg77/kmn653.exe
old.durchgegorene-weine.de/65dfg77/kmn653.exe


This payload is the same as the one found in this spam run earlier today.


Malware spam: "Email from Transport for London" / noresponse@cclondon.com

This fake TfL spam is meant to have a malicious attachment, but is malformed.

From:    noresponse@cclondon.com
Date:    17 December 2015 at 08:54
Subject:    Email from Transport for London

Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to
read or download this attachment.

If you require Adobe Acrobat Reader this is available at no cost from
the Adobe Website http://www.adobe.com

Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are s=
trictly confidential and may be legally privileged. If you are not the int=
ended recipient any reading, dissemination, copying or any other use or re=
liance is prohibited. If you have received this email in error please noti=
fy the sender immediately by email and then permanently delete the email.
______________________________________________________________________

The attachment is not properly formatted and appears as a Base 64 section of the email. What it should be is a malicious document named FR7000609906.doc which has a VirusTotal detection rate of 4/54.

The Malwr analysis of the document indicates that it downloads from:

www.riucreatives.com/65dfg77/kmn653.exe

This has a detection rate of 3/54 and an MD5 of d5e717617400b3c479228fa756277be1. The Malwr report and Hybrid Analysis  indicate network traffic to:

151.80.142.33 (OVH, France)
117.239.73.244 (Marian International Institute Of Management, India)


The payload is likely to be the Dridex banking trojan.

Recommended blocklist:
151.80.142.33
117.239.73.244

Malware spam: "12/16 A Invoice"

This fake financial spam leads to malware:
From:    Kelley Small
Date:    17 December 2015 at 08:39
Subject:    12/16 A Invoice

Hi,
Please find attached a recharge invoice for your broadband.

Many thanks,
Kelley Small
The sender's name is randomly generated, for example:

Harris Page
Leonel Kramer
Gracie Fuentes
Earlene Aguirre
Jerri Whitfield
Art Keith
Freeman Gregory
Moses Larson
Leanna Fletcher

There is an attachment in the format invoice36649009.doc where the number is randomly generated. This comes in at least six different versions but they do not appear to be uniquely generated (VirusTotal results [1] [2] [3] [4] [5] [6] [7]). Detection rates are close to zero.

The Malwr reports for those documents is a mixed bag [1] [2] [3] [4] [5] [6] [7] is a mixed bag, but overall they spot data being POSTed to:

179.60.144.18/chicken/bacon.php
91.203.5.169/chicken/bacon.php


Sources tell me there is another download location of:

195.191.25.145/chicken/bacon.php

Those IPs are likely to be malicious and belong to:

179.60.144.18 (Veraton Projects Ltd, Netherlands)
91.203.5.169 (Denis Pavlovich Semenyuk / TutHost, Ukraine)
195.191.25.145 (Hostpro Ltd, Ukraine)



They also GET from:

savepic.su/6786586.png

A file karp.exe  is dropped with an MD5 of 1fbf5be463ce094a6f7ad345612ec1e7 and a detection rate of 3/54. According to this Malwr report this communicates with:

80.96.150.201 (SC-Nextra Telecom SRL, Romania)

It's not clear what the payload is, but probably some sort of banking trojan such as Dridex.

MD5s:
1FBF5BE463CE094A6F7AD345612EC1E7
69F7AFB14E0E6450C4D122C53365A048
1A4048FA8B910CE6620A91A630B32CF6
7034285D8AA1EC84CFDFF530069ECF77
E0019B311E0319AB3C79C5CDAF5A067D
D08BC2E90E6BB63FB4AEBA63C0E298F4
3ED7EDC00C2C62548B83BCDAAA43C47A
B9D135801A8008EA74584C3DEB1BE8D4


Recommended blocklist:
80.96.150.201
179.60.144.18
91.203.5.169
195.191.25.145

savepic.su

UPDATE 12/1/16 

The same message format is being used for another attack with a slightly different payload, which is the same as used in this spam run.

Wednesday, 16 December 2015

Malware spam: "Your account has a debt and is past due" leads to Teslacrypt

This fake financial spam comes with an interesting error in the part that is meant to randomly-generate the dollar amount:
From:    Frances Figueroa
Date:    16 December 2015 at 17:22
Subject:    Your account has a debt and is past due

Dear Customer,

Our records show that your account has a debt of $345.{rand(10,99)}}. Previous attempts of collecting this sum have failed.

Down below you can find an attached file with the information on your case.
The value, sender's name and attachment name are randomly generated. The attachment is named in the format SCAN_INVOICE_79608749.zip which contains a malicious script that attempts to download Teslacrypt ransomware from the following locations:

whatdidyaysay.com/80.exe?1
iamthewinnerhere.com/80.exe?1


This has a VirusTotal detection rate of 3/54 and an MD5 of 5c2a687f9235dd536834632c8185b32e. Those download locations have been registered specifically for this purpose (they are not hacked sites) and are hosted on:

176.99.12.87 (Global Telecommunications Ltd., Russia)
185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
5.178.71.10 (Serverius, Netherlands)


The following malicious sites are also hosted on those IPs:

dns1.ojwekhsdfs.in
dns2.ojwekhsdfs.in
whatdidyaysay.com
washawaydesctrucion.com
dns1.mikymaus.in
dns2.mikymaus.in
dns1.saymylandgoodbye.in
dns2.saymylandgoodbye.in
dns2.auth-mail.ru
gammus.com
ifyougowegotoo.com
iamthewinnerhere.com
thewelltakeberlin.com
remarkablyxj.top
sufficientbe.top
domainsgmwills.top
ns2.directly-truimph.com

These automated reports [1] [2] [3] show that the malware calls home to these following legitimate but hacked domains:

sofiehughesphotography.com
goedkoop-weekendjeweg.net
coatesarchitecture.com
hotbizlist.com
adamhughes.in
magaz.mdoy.pro

Recommended minimum blocklist:
176.99.12.87
185.69.152.145
5.178.71.10

whatdidyaysay.com
iamthewinnerhere.com

Malware spam: "Unpaid Invoice from Staples Inc., Ref. 09123456, Urgent Notice" leads to Teslacrypt

This fake financial spam is not from Staples or Realty Solutions but is instead a simple forgery with a malicious attachment.

From:    Virgilio Bradley
Date:    16 December 2015 at 14:37
Subject:    Unpaid Invoice from Staples Inc., Ref. 09846839, Urgent Notice

Dear Valued Customer,

This letter is a formal notice to you taking in consideration the fact that you are obligated to repay our company the sum of $767,90 which was advanced to you from our company on November 21st, 2015.
You now have two options: forward your payment to our office by January 17, 2016 or become a party in a legal action. Please be advised that a judgment against you will also damage your credit record.

Please acknowledge the receipt of the invoice attached and the e-mail, no later than December 31, 2015.


Regards,
Virgilio Bradley
Customer Service Department
Realty Solutions
182 Shobe Lane
Denver, CO 80216

The names, amounts and reference numbers change from email to email. The attachment has the same name of the reference (e.g. invoice_09846839_copy.doc) but despite this I have only seen one version with a VirusTotal detection rate of just 1/55.

According to this Malwr report, the macro in the document downloads a binary from:

iamthewinnerhere.com/97.exe

This appears to be Teslacrypt ransomware and it has a detection rate of 5/53. Unlike some other malware, the domain iamthewinnerhere.com has been registered specifically to host this malware, and is located on:

185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
84.200.69.60 (Ideal-Hosting UG, Germany)


Nameservers are DNS1.SAYMYLANDGOODBYE.IN and DNS2.SAYMYLANDGOODBYE.IN. Other suspect sites on these IPs are:

dns2.auth-mail.ru
metiztransport.ru
remarkablyxj.top
sufficientbe.top
domainsgmwills.top
dns2.mikymaus.in
dns2.dlhosting.in
dns2.donaldducks.in
dns2.saymylandgoodbye.in
dns1.gogodns.ru
dns2.gogodns.ru
gammus.com
testsfds.com
waschmaschinen.testsfds.com
miracleworld1.com
ifyougowegotoo.com
hellofromjamaica.com
www.hellofromjamaica.com
firstwetakemanhat.com
thewelltakeberlin.com
mixer.testsg.net
abfalleimer.testsg.net
buegeleisen.testsg.net
bodenwischer.testsg.net
wasserfilter.testsg.net
kuechenmaschinen.testsg.net
testzd.net
staubsauger.testzd.net
waschtrockner.testzd.net
kaffeevollautomat.testzd.net
izfrynscrek.net
ftp.lazur.info
aspirateurs.lazur.info

According to this Malwr report, it then phones back to these legitimate but hacked domains:

sofiehughesphotography.com
magaz.mdoy.pro
adamhughes.in
goedkoop-weekendjeweg.net
hotbizlist.com
coatesarchitecture.com

MD5s:
3999736909019a7e305bc435eb4168fd
8f4bd99c810d517fb2d2b89280759862

Recommended minimum blocklist:
iamthewinnerhere.com
185.69.152.145
84.200.69.60